ASA Policy Nat

OK guys I'm trying to get into ASAs as I'm more of a Checkpoint man, I'm trying to get a NAT rule up and running, it shouldn't be too tough.

I have an ASA with 1 public IP address running PAT, HostA and HostB are out on the internet and the webservers are inside the LAN

if HostA hits outside on http, port forward to webserverA
if HostB hits outside on http, port forward to webserverB

Now it seems like that shouldn't be a tough thing to accomplish, but the ASDM isn't making it as clear as other firewalls.

If anyone can give me a hand or even direct me to some cisco docs that would be great

Find more posts tagged with

Comments

jovan88

Looks like I can't do it unless I change the port numbers, for example

if HostA hits outside on 80, port forward to webserverA
if HostB hits outside on 8080, port forward to webserverB

If that is the case, thats very dissapointing, especially because some low end firewalls can do this with no problem.

Combining that with the fact that you can't do policy based routing - blehh

Bl8ckr0uter

Just curious, what version of ASA os are you using?

jovan88

5505 with OS ver 8.2(1)

ColbyG

I'm not too great with ASAs, but something like this should/might work:

Edit: Nevermind. I was thinking about it wrong. Lemme think some more, lol.

ColbyG

Okay, second attempt. Again, not an ASA guru, but I think this would work:

WebserverA = 192.168.1.10
WebserverB = 192.168.1.20

HostA = 1.1.1.1
HostB = 1.1.1.2

access-list ACL_HostA-To-WWW permit tcp host 1.1.1.1 any eq 80
static (inside,outside) 192.168.1.10 access-list ACL_HostA-To-WWW

access-list ACL_HostB-To-WWW permit tcp host 1.1.1.2 any eq 80
static (inside,outside) 192.168.1.20 access-list ACL_HostB-To-WWW

See if that does it.

jovan88

thanks for your help, unforunately the ASA gave me a big middle finger:

ERROR: Protocol mismatch between the static and access-list

seems you can't define ports in the ACL? bah

after some Googling - looks like it can't be done:

ASA - Source Based Static

ColbyG

Well that sucks.

instant000

Let me take a stab at this one: (source links below)

example config:
partner1 = 10.10.10.10
partner2 = 20.20.20.20
your public ip = 55.55.55.55
your internal server1= 51.51.51.51 (the server partner 1 hits)
your internal server2= 52.52.52.52 (the server partner 2 hits)

access-list partner1 extended permit tcp host 10.10.10.10 eq http host 55.55.55.55
access-list partner2 extended permit tcp host 20.20.20.20 eq http host 55.55.55.55

static (outside,inside) tcp 51.51.51.51 80 access-list partner1
static (outside,inside) tcp 52.52.52.52 80 access-list partner2

Source:
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring Static NAT [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

For a configuration example from the learning network:
https://learningnetwork.cisco.com/message/91237
(note post number EIGHT ... smilies are vicious here ... 8 8

Let me know if this works for you. Would be disappointed if it did not. (Note: I've not progressed to this in my studies yet, but it would be wonderful to have this one figured out already.)

Hope this helps!

instant000

and to clarify, the source of the protocol mismatch is that the ACL was for "tcp" but the static was for "ip" (as default) By specifying the static for "tcp, port 80) that should help the issue.

ColbyG

instant000 wrote: »

Let me take a stab at this one: (source links below)

example config:
partner1 = 10.10.10.10
partner2 = 20.20.20.20
your public ip = 55.55.55.55
your internal server1= 51.51.51.51 (the server partner 1 hits)
your internal server2= 52.52.52.52 (the server partner 2 hits)

access-list partner1 extended permit tcp host 10.10.10.10 eq http host 55.55.55.55
access-list partner2 extended permit tcp host 20.20.20.20 eq http host 55.55.55.55

static (outside,inside) tcp 51.51.51.51 80 access-list partner1
static (outside,inside) tcp 52.52.52.52 80 access-list partner2

I was toying around with this idea as well. The issue I see is that the ASA won't let you specify the destination port in the ACL/NAT, only the source port, which we can't predict. Your ACL is specifying the source port of TCP 80, but that should be the destination port, no?

So isn't your ACL/NAT saying, if you're coming in the outside interface from 10.10.10.10 with a source port of TCP 80, going to 55.55.55.55 with a destination port of ANY, DNAT to 51.51.51.51 TCP 80?

I might be interpreting this wrong, but this is the impression I got when I was digging through it earlier today. I'll try labbing it later and see if it works.

instant000

Hrm.

I pasted the commands into the config, and they were accepted, but they weren't checked to see if they actually functioned, and yes, the first port in the ACL would reference the source port.

Maybe you could just use a permit ip access-list, instead of a permit tcp one ...

hrm, but this idea to change it to only an ip access-list wouldn't work, though, if the outside partners had to connect to more than one internal IP at your area.

==============

I looked at this for a couple hours last night, and just looking at it, it doesn't make sense to me, either.

I do know that the ASA at least accepts it (but how well it works) wouldn't know, without generating traffic over port 80 to that address, from the differing sources.

This is all I have now.

I interpret it as allowing http requests from 10.10.10.10 directed at 55.55.55.55 to instead be translated to port 80 requests on tcp to 51.51.51.51.

I hope that's how it's working, otherwise, this won't help you, if it's just referencing source port.

instant000

I found this in the command reference .....try this out (seems I was making the ACL backwards, try this ...)

For HTTP traffic initiated from hosts on the 10.1.3.0 network to the adaptive security appliance outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering:

hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0
255.255.255.0
hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP

source: Cisco ASA 5500 Series Command Reference, 8.2 - shun -- sysopt radius ignore-secret [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

unclerico

Try upgrading to 8.3 or later. If I remember correctly this functionality is included.

unclerico

Many-to-1 NAT
Netl33ts: Static many-to-one nats on a Cisco ASA