Announcement

Collapse
No announcement yet.

Port Forwarding from DMZ to Internal?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Port Forwarding from DMZ to Internal?

    Dear All,
    I'm new here, and I have a question about an ASA config . I’m work on it some hours, and I’m now a little confused.

    I use an ASA with Rel. 8.4 for Internet Access. We have an Outside Interface with a public Address, 2 logical DMZ Interfaces (mapped to one physical Interface) with public Addresses and one Internal Interface.

    Code:
     
     interface GigabitEthernet0/0
     nameif outside
     security-level 0
     ip address 217.1.1.154 255.255.255.252 
    !
    interface GigabitEthernet0/1
     nameif inside
     security-level 100
     ip address 10.1.1.78 255.255.255.240 
    !
    interface GigabitEthernet0/2
     description 802.1q Trunking Interface for DMZ networks
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet0/2.1
     description DMZ1
     vlan 11
     nameif dmz1
     security-level 10
     ip address 217.1.1.157 255.255.255.252 
    !
    interface GigabitEthernet0/2.2
     description DMZ2
     vlan 12
     nameif dmz2
     security-level 15
     ip address 217.2.176.113 255.255.255.248
    In DMZ 2 I have one free IP Address (217.2.176.114). Now I would use this Address (complete or http and https only) to connect from Outside to a Server placed in inside network. So my question is, can or how can I use nat, to forward these ports from IP located in DMZ Network to Internal Network IP?

    Port Forwarding from Outside Interface to Internal is almost clear.

    Kindly Regards
    Last edited by engl71; 7th November 2013, 21:06.

  • #2
    Re: Port Forwarding from DMZ to Internal?

    Hi, here is what I would try, you may need to tweek it a bit to meet your requirements.

    In global config mode add the following commands:
    ip nat inside source static tcp 10.1.1.2 80 217.2.176.114 80
    ip nat inside source static tcp 10.1.1.2 443 217.2.176.114 443

    Create an access list that allows least secure to most secure interface:
    access-list dmz2_acl permit tcp any any eq 80
    access-list dmz2_acl permit tcp any any eq 443
    access-list dmz2_acl permit tcp any any eq any eq established

    Issue ip nat outside and access-group dmz2_acl in commands to interface GigabitEthernet0/2.2
    Issue Ip nat inside command to interface GigabitEthernet0/1

    Test and see if it works.
    Last edited by uk_network; 5th November 2013, 21:27.
    Please remember to award reputation points if you have received good advice.
    I do tend to think 'outside the box' so others may not always share the same views.

    MCITP -W7,
    MCSA+Messaging, CCENT, ICND2 slowly getting around to.

    Comment


    • #3
      Re: Port Forwarding from DMZ to Internal?

      Thanks for reply . But Release 8.4 doesn’t know this syntax.

      Ok, I tried to adobe part 1 with only http:
      object network nh_serv028
      host 10.1.1.2
      object network nh_serv028Pub
      host 217.2.176.114
      object service so_serv028-tcp80
      service tcp source eq WWW

      nat source static nh_serv028 nh_serv028Pub service so_serv028-tcp80

      I think, ACL’s are clear.

      Possible the interfaces configuration is a issue. Currently working:
      Code:
      nat (inside,outside) after-auto source dynamic any interface
      nat (guests,outside) after-auto source dynamic any interface
      So I have to add: nat (inside,dmz2)???

      Regards
      Last edited by engl71; 7th November 2013, 21:06.

      Comment


      • #4
        Re: Port Forwarding from DMZ to Internal?

        Hi, I tried the nat configuration today and it is working well .

        Code:
         
        object network nh_serv028
        host 10.1.1.2 
        object network nh_serv028Pub
        host 217.2.176.114
        object service so_serv028-tcp80
        service tcp source eq WWW
        nat source static nh_serv028 nh_serv028Pub service so_serv028-tcp80 so_serv028-tcp80
        nat (inside,dmz2) after-auto source dynamic any interface
        I forgot the last line before. Thanks for bringing me on the right way!
        Last edited by engl71; 7th November 2013, 21:27.

        Comment


        • #5
          Re: Port Forwarding from DMZ to Internal?

          Hi, glad you got it working and thanks for posting the resolution.
          Please remember to award reputation points if you have received good advice.
          I do tend to think 'outside the box' so others may not always share the same views.

          MCITP -W7,
          MCSA+Messaging, CCENT, ICND2 slowly getting around to.

          Comment

          Working...
          X