Using a cisco ASA device with an external IP of 200.20.20.20 (interface OUTSIDE) and an internal subnet of 10.1.1.1/24 (interface INSIDE), how can I configure the ASA so that all traffic to a specific port on the external interface gets directed to an internal server (and the response is returned)
For example, if an external user connects to 200.20.20.20:5000 I want it redirected to 10.1.1.27:8080;
-
TO get this working you will need to setup a static nat, and add to the access-list to allow the traffic once. (NAT happens before access-list: Details of Order of operations)
Static NAT
Static NAT's on cisco have always been weird (for me at least). Basic thing to remember is (HIGH,LOW) LOW, HIGH for this command.
static (inside,outside) tcp 200.20.20.20 5000 10.1.1.27 8080 netmask 255.255.255.255 0 0
ACLs
This acl will need to be applied to what ever you have named your access-list attached to OUTSIDE interface. (Change: *outside_acl* )
access-list outside_acl extended permit tcp any host 10.1.1.27 eq 8080
Disclaimer
Sorry I don't have my test ASA in front of me, but this should be very close.
DrStalker : spot-on; I just set the Static NAT, confirmed that packets were then being rejected by the ACLs, and tweaked the ACL.Jeremy Rossi : Glad I could help - Have a good day/nightFrom Jeremy Rossi
0 comments:
Post a Comment