[c-nsp] Cisco ASA static tcp forwarding question
Garry
gkg at gmx.de
Mon Dec 31 02:15:17 EST 2007
Andy Dills wrote:
> On Sat, 29 Dec 2007, Michael Smith wrote:
>
>> Hello All:
>>
>> Is it possible to have a scenario where traffic coming in to a server
>> on either port 443 or port 80 is sent to the inside host only on port
>> 443? Something like:
>>
>> static (inside,outside) tcp x.x.x.x https 192.168.1.1 https
>> static (inside,outside) tcp x.x.x.x http 192.168.1.1 https
>>
>> The above commands don't work because a previous entry is seen when
>> trying to add the second so I'm curious if anyone has gotten this
>> working and how? This configuration is on a 5510 running 8.0(3).
>
> You have to have one-to-one correspondence, the IP/port outside/inside
> addresses cannot have multiple static bindings. Otherwise, the ASA wont
> know which rule to use on the reply packets.
I was burned by this in a customer setup, too ... kinda sucks that the
shining, new ASA isn't able to do what even simple iptables in Linux
(among others, INCLUDING the regular router IOS) can manage ... after
all, the firewall does use flows already to identify whether a packet
may return through the firewall ...
I just hope Cisco gets to work soon to clean up some of the "white
spots" still left in the ASA IOS ... e.g., route-maps are implemented,
but only half ... I have at least two customers waiting for the ability
to do decent policy routing on the ASA without having to put another
router in front of it ...
-gg
More information about the cisco-nsp
mailing list