0

I have been asked to configure our ASA 5505 to route traffic from one external IP (let's call it 208.X) to an arbitrary number of internal static IPs. I was told to consider port forwarding/mapping. Given that I am still more or less clueless about anything network-related, I can't tell whether any information I find on this site or Google is relevant. Let's start at the beginning.

  1. I understand there are multiple ways of doing what I need. Is using the ASA to route through multiple ports the best way?
  2. If the answer to the above is yes...is this the appropriate config to add to open (for example) port 678 and 789? Assume the static IP is already configured.
access-list OUTSIDE_IN extended permit tcp any host 208.X eq www 
access-list OUTSIDE_IN extended permit tcp any host 208.X eq 678
access-list OUTSIDE_IN extended permit tcp any host 208.X eq 789
access-group OUTSIDE_IN in interface outside

I feel like I'm moving in the wrong direction. Where is it defined that port 678 traffic goes to internal IP A, whilst port 789 traffic goes to internal IP B?

Thanks for your help. Once again, any education is much appreciated.

spamguy
  • 107
  • 1
  • 7
  • 1
    I was writing a lengthy answer, but I need to know a bit more details. What version of the asa software and what version of ASDM? "sh run | include asdm image" and "sh ver" – pauska Jul 07 '11 at 06:55
  • I won't have login privs until today, but looking at the ASA config in our source depository, the ASA version is 7.2. We don't have ASDM. (If we do, we're not using it.) – spamguy Jul 07 '11 at 13:12

1 Answers1

2

You are halfway there :)

In general, NATing firewalls have two basic necessities for moving traffic between interfaces. In the strictest of senses there are many more, but the two below are the ones encountered most often. The first is the access control and the second is a translation rule. This paradigm is true for most firewalls -- even if they don't expose it in a limited GUI (SOHO/consumer firewalls/routers) -- the GUI may be doing it for you underneath. On the CLI, however, you must take care to configure access control and the translation rules.

If your example you have configured the access control side of things with an access-list. The OUTSIDE_IN access-list is bound to the outside interface in the IN direction.

Knowing that, your access-list is telling the ASA to permit TCP traffic recieved on the outside interface from any source IP/TCP port combination destined for 208.x on TCP/80, 208.x on TCP/678, and 208.x on TCP/789.

The next step (or first step depending on how you like to do things) is to create a translation rule so the traffic gets translated -- after passing an access control check of course.

In ASA 8.2 and earlier this is accomplished with the static command. Major changes to NAT were implemented in ASA 8.3 and later -- so the following does not apply to 8.3 and up.

Assumptions:

  • 208.1.1.1/TCP/80 <-> 192.168.1.100/TCP/80
  • 208.1.1.1/TCP/678 <-> 192.168.1.101/TCP/678
  • 208.1.1.1/TCP/789 <-> 192.168.1.102/TCP/789
  • 192.168.1.0/24 on the inside interface

I have filled in the remaining octets of the external IP address with 1's to show clearly that we will be Port Address Translating (PAT), specifically static PAT, on a single external IP address. This is opposed to the more traditional static NAT where each internal IP would have its own unique external IP.

static (inside,outside) tcp 208.1.1.1 80 192.168.1.100 80 netmask 255.255.255.255
static (inside,outside) tcp 208.1.1.1 678 192.168.1.101 678 netmask 255.255.255.255
static (inside,outside) tcp 208.1.1.1 789 192.168.1.102 789 netmask 255.255.255.255

In general static PAT should be avoided as it is the ugliest type of NAT from both a management and technical standpoint. If you need to expose many internal servers to the Internet, the cleanest way to make it happen is with traditional static NAT -- where each server would have its own external IP.

Ref:

ASA 7.2 Command Reference

ASA 7.2 Command Reference static Command

-Weaver

Weaver
  • 1,952
  • 12
  • 13