|
ASA Port Redirction - Port Forwarding |
|
|
|
|
Written by Administrator
|
|
Friday, 09 March 2007 |
|
ASA Port Redirection - Forwarding
This configuration snippet shows how to setup port redirection/forwarding on an ASA. In this scenario assumes that the ISP has only
provided us with a single public IP address. If we only had outbound originating traffic this would not be an issue as all traffic will PAT
to the IP address assigned to the outside interface. In this case, we have a few servers that we want Internet users to be able to
access. In this case we will user port redirection in order to forward traffic destined for the single IP address on specific ports to
different servers on the inside listening on those ports.
# This configuration was taken from an ASA 5510 running 7.0(4) with default security assignments of 0 on the outside and 100
# on the inside.
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.252
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
# Access lists for the outside interface is configured to allow traffic from the Internet to 172.16.1.10 for web, terminal services and ftp.
# You will see from the static commands later on that each of these requests will go to a different server on the inside.
access-list outside-entry extended permit tcp any host 172.16.1.1 eq www
access-list outside-entry extended permit tcp any host 172.16.1.1 eq 3389
access-list outside-entry extended permit tcp any host 172.16.1.1 eq ftp
# When going from a higher interface to a lower interface a NAT and global command are used.
# Any address on the 10.1.1.0 / 24 inside network going to the outside will use PAT translating the source IP
# to the IP address that is configured on the outside interface above.
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
# These static commands take all www requests to the public ip address of 172.16.1.1 and forwards them to the inside ip address
# 10.1.1.10 on port 80. The same is done for terminal services and ftp requests to 172.16.1.1, however, each of these are forwarded
# to different inside ip addresses.
static (inside,outside) tcp 172.16.1.1 www 10.1.1.10 www netmask 255.255.255.255
static (inside,outside) tcp 172.16.1.1 3389 10.1.1.12 3389 netmask 255.255.255.255
static (inside,outside) tcp 172.16.1.1 ftp 10.1.1.15 ftp netmask 255.255.255.255
# Finally for reference a default route is defined to the Internet.
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
# Default configuration lines have been omitted.
|
