ASA Policy Nat

jovan88jovan88 Member Posts: 393
OK guys I'm trying to get into ASAs as I'm more of a Checkpoint man, I'm trying to get a NAT rule up and running, it shouldn't be too tough.

I have an ASA with 1 public IP address running PAT, HostA and HostB are out on the internet and the webservers are inside the LAN

if HostA hits outside on http, port forward to webserverA
if HostB hits outside on http, port forward to webserverB

Now it seems like that shouldn't be a tough thing to accomplish, but the ASDM isn't making it as clear as other firewalls.

If anyone can give me a hand or even direct me to some cisco docs that would be great

Comments

  • jovan88jovan88 Member Posts: 393
    Looks like I can't do it unless I change the port numbers, for example

    if HostA hits outside on 80, port forward to webserverA
    if HostB hits outside on 8080, port forward to webserverB

    If that is the case, thats very dissapointing, especially because some low end firewalls can do this with no problem.

    Combining that with the fact that you can't do policy based routing - blehh
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Just curious, what version of ASA os are you using?
  • jovan88jovan88 Member Posts: 393
    5505 with OS ver 8.2(1)
  • ColbyGColbyG Member Posts: 1,264
    I'm not too great with ASAs, but something like this should/might work:

    Edit: Nevermind. I was thinking about it wrong. Lemme think some more, lol.
  • ColbyGColbyG Member Posts: 1,264
    Okay, second attempt. Again, not an ASA guru, but I think this would work:
    WebserverA = 192.168.1.10
    WebserverB = 192.168.1.20
    
    HostA = 1.1.1.1
    HostB = 1.1.1.2
    
    access-list ACL_HostA-To-WWW permit tcp host 1.1.1.1 any eq 80
    static (inside,outside) 192.168.1.10 access-list ACL_HostA-To-WWW
    
    access-list ACL_HostB-To-WWW permit tcp host 1.1.1.2 any eq 80
    static (inside,outside) 192.168.1.20 access-list ACL_HostB-To-WWW
    

    See if that does it.
  • jovan88jovan88 Member Posts: 393
    thanks for your help, unforunately the ASA gave me a big middle finger:

    ERROR: Protocol mismatch between the static and access-list

    seems you can't define ports in the ACL? bah icon_sad.gif

    after some Googling - looks like it can't be done:

    ASA - Source Based Static
  • instant000instant000 Member Posts: 1,745
    Let me take a stab at this one: (source links below)

    example config:
    partner1 = 10.10.10.10
    partner2 = 20.20.20.20
    your public ip = 55.55.55.55
    your internal server1= 51.51.51.51 (the server partner 1 hits)
    your internal server2= 52.52.52.52 (the server partner 2 hits)


    access-list partner1 extended permit tcp host 10.10.10.10 eq http host 55.55.55.55
    access-list partner2 extended permit tcp host 20.20.20.20 eq http host 55.55.55.55

    static (outside,inside) tcp 51.51.51.51 80 access-list partner1
    static (outside,inside) tcp 52.52.52.52 80 access-list partner2


    Source:
    Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring Static NAT [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

    For a configuration example from the learning network:
    https://learningnetwork.cisco.com/message/91237
    (note post number EIGHT ... smilies are vicious here ... 8 8

    Let me know if this works for you. Would be disappointed if it did not. (Note: I've not progressed to this in my studies yet, but it would be wonderful to have this one figured out already.)

    Hope this helps!
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    and to clarify, the source of the protocol mismatch is that the ACL was for "tcp" but the static was for "ip" (as default) By specifying the static for "tcp, port 80) that should help the issue.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • ColbyGColbyG Member Posts: 1,264
    instant000 wrote: »
    Let me take a stab at this one: (source links below)

    example config:
    partner1 = 10.10.10.10
    partner2 = 20.20.20.20
    your public ip = 55.55.55.55
    your internal server1= 51.51.51.51 (the server partner 1 hits)
    your internal server2= 52.52.52.52 (the server partner 2 hits)


    access-list partner1 extended permit tcp host 10.10.10.10 eq http host 55.55.55.55
    access-list partner2 extended permit tcp host 20.20.20.20 eq http host 55.55.55.55

    static (outside,inside) tcp 51.51.51.51 80 access-list partner1
    static (outside,inside) tcp 52.52.52.52 80 access-list partner2

    I was toying around with this idea as well. The issue I see is that the ASA won't let you specify the destination port in the ACL/NAT, only the source port, which we can't predict. Your ACL is specifying the source port of TCP 80, but that should be the destination port, no?

    So isn't your ACL/NAT saying, if you're coming in the outside interface from 10.10.10.10 with a source port of TCP 80, going to 55.55.55.55 with a destination port of ANY, DNAT to 51.51.51.51 TCP 80?

    I might be interpreting this wrong, but this is the impression I got when I was digging through it earlier today. I'll try labbing it later and see if it works.
  • instant000instant000 Member Posts: 1,745
    Hrm.

    I pasted the commands into the config, and they were accepted, but they weren't checked to see if they actually functioned, and yes, the first port in the ACL would reference the source port.

    Maybe you could just use a permit ip access-list, instead of a permit tcp one ...

    hrm, but this idea to change it to only an ip access-list wouldn't work, though, if the outside partners had to connect to more than one internal IP at your area.

    ==============

    I looked at this for a couple hours last night, and just looking at it, it doesn't make sense to me, either.

    I do know that the ASA at least accepts it (but how well it works) wouldn't know, without generating traffic over port 80 to that address, from the differing sources.

    This is all I have now.

    I interpret it as allowing http requests from 10.10.10.10 directed at 55.55.55.55 to instead be translated to port 80 requests on tcp to 51.51.51.51.

    I hope that's how it's working, otherwise, this won't help you, if it's just referencing source port.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    I found this in the command reference .....try this out (seems I was making the ACL backwards, try this ...)

    For HTTP traffic initiated from hosts on the 10.1.3.0 network to the adaptive security appliance outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering:

    hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0
    255.255.255.0
    hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP

    source: Cisco ASA 5500 Series Command Reference, 8.2 - shun -- sysopt radius ignore-secret [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • unclericounclerico Member Posts: 237 ■■■■□□□□□□
    Try upgrading to 8.3 or later. If I remember correctly this functionality is included.
    Preparing for CCIE Written
  • unclericounclerico Member Posts: 237 ■■■■□□□□□□
Sign In or Register to comment.