Announcement

Collapse
No announcement yet.

ASA config-I'm stumped

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA config-I'm stumped

    I have a 5520 (v8.2, ASDM v6.4) with 3 network legs: Internal, DMZ, External. External has a range of address and is the outgoing NAT pool. I have a mail transport server in the DMZ that has to accept inbound SMTP and a web server in one subnet of the Internal range which hosts an HTTPS site. For the WAN I'm connected to (not the Web), DNS points both SMTP and HTTPS requests at the first IP in our external's range, and that can't change.

    ACL rules for allowing inbound traffic for ports 25 and 443 to the External IP interface are in place, but the NAT/PAT options to get the inbound traffic to get to the right subnet/interface have got me. I've tried various options, but in each case, the second rule submission generates a failure regarding conflicts since the Ext IP already has 1 NAT statement in place.

    Obviously I've missed something simple; somebody care to be kind to an old man?
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

  • #2
    Re: ASA config-I'm stumped

    What, nobody??
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: ASA config-I'm stumped

      If I understand your post correctly, you are trying to port forward using a single public IP to multiple internal servers which can be reached via the ASA's dmz or inside interface. You already have the ACL that permits this traffic on the outside interface.

      ...and you want to create the following NAT translations (make necessary adjustments to fit your topology)

      STATIC NAT: 208.208.208.208/25 -> 172.16.0.2/25 (via dmz interface)
      STATIC NAT: 208.208.208.208/443 -> 10.10.10.2/443 (via inside interface)

      1) Static MAP (port forward) 208.208.208.208 port 25 to 172.16.0.2 port 25 (dmz)

      static (dmz,outside) tcp 208.208.208.208 ssh 172.16.0.2 ssh netmask 255.255.255.255

      2) Static MAP (port forward) 208.208.208.208 port 443 to 10.10.10.2 port 443 (inside)

      static (inside,outside) tcp 208.208.208.208 https 10.10.10.2 https netmask 255.255.255.255

      Hope this helps
      --Steve

      Comment


      • #4
        Re: ASA config-I'm stumped

        I'll certainly give it a try, but experimentation to date says no, at least thru using the Public Servers wizard in the ASDM GUI. Haven't really the time to absorb the differences in the CLI structure on the ASA vs the 37xx series switches I'm familiar with.

        The boss will be happy to hear if this does the job! I'll let you know.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          Re: ASA config-I'm stumped

          Once I found the CLI access in the GUI and actually read the statements in place, I realised what I'd been doing (assumptions can really screw you up!!)

          Of course your suggestion did the trick, I simply haven't had the time to become comfortable with the newer interfaces to see it beforehand.

          Many thanks.
          *RicklesP*
          MSCA (2003/XP), Security+, CCNA

          ** Remember: credit where credit is due, and reputation points as appropriate **

          Comment


          • #6
            Re: ASA config-I'm stumped

            Glad to hear you got this working.

            Comment

            Working...
            X