[c-nsp] Cisco ASA static tcp forwarding question

[Joerg Mayer]

On Mon, Dec 31, 2007 at 08:15:17AM +0100, Garry wrote:
> Andy Dills wrote:
> > On Sat, 29 Dec 2007, Michael Smith wrote:
> > 
> >> Hello All:
> >>
> >> Is it possible to have a scenario where traffic coming in to a server  
> >> on either port 443 or port 80 is sent to the inside host only on port  
> >> 443?  Something like:
> >>
> >> static (inside,outside) tcp x.x.x.x https 192.168.1.1 https
> >> static (inside,outside) tcp x.x.x.x http 192.168.1.1 https
> >>
> >> The above commands don't work because a previous entry is seen when  
> >> trying to add the second so I'm curious if anyone has gotten this  
> >> working and how?  This configuration is on a 5510 running 8.0(3).
> > 
> > You have to have one-to-one correspondence, the IP/port outside/inside 
> > addresses cannot have multiple static bindings. Otherwise, the ASA wont 
> > know which rule to use on the reply packets.
> 
> I was burned by this in a customer setup, too ... kinda sucks that the
> shining, new ASA isn't able to do what even simple iptables in Linux
> (among others, INCLUDING the regular router IOS) can manage ... after
> all, the firewall does use flows already to identify whether a packet
> may return through the firewall ...
> 
> I just hope Cisco gets to work soon to clean up some of the "white
> spots" still left in the ASA IOS ... e.g., route-maps are implemented,
> but only half ... I have at least two customers waiting for the ability
> to do decent policy routing on the ASA without having to put another
> router in front of it ...

Well, the PIX/ASA only supports PAT from higher security to lower
security interface. You are looking for PAT in the opposite direction
(because that's what this requirement ends up to be).

 Ciao
     Joerg
-- 
Joerg Mayer                                           <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.