Redirecting Ports - Cisco FirePOWER ASA 5500 series Configuration Manual

NAT Examples
The security appliance already has a connected route for the inside network. These static routes allow
the security appliance to send traffic for the 192.168.100.0/24 network out the DMZ interface to the
gateway router at 10.1.1.2. (You need to split the network into two because you cannot create a static
route with the exact same network as a connected route.) Alternatively, you could use a more broad route
for the DMZ traffic, such as a default route.
If host 192.168.100.2 on the DMZ network wants to initiate a connection to host 192.168.100.2 on the
inside network, the following events occur:
1.
2.
3.

Redirecting Ports

Figure 17-27
Figure 17-27
Telnet Server
10.1.1.6
FTP Server
10.1.1.3
Web Server
10.1.1.5
Web Server
10.1.1.7
In the configuration described in this section, port redirection occurs for hosts on external networks as
follows:
•
•
•
•
To implement this scenario, perform the following steps:
Cisco Security Appliance Command Line Configuration Guide
17-34
The DMZ host 192.168.100.2 sends the packet to IP address 10.1.2.2.
When the security appliance receives this packet, the security appliance translates the source address
from 192.168.100.2 to 10.1.3.2.
Then the security appliance translates the destination address from 10.1.2.2 to 192.168.100.2, and
the packet is forwarded.
illustrates a typical network scenario in which the port redirection feature might be useful.
Port Redirection Using Static PAT
10.1.1.1
Inside
Telnet requests to IP address 209.165.201.5 are redirected to 10.1.1.6.
FTP requests to IP address 209.165.201.5 are redirected to 10.1.1.3.
HTTP request to security appliance outside IP address 209.165.201.25 are redirected to 10.1.1.5.
HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80.
209.165.201.25
Outside
Chapter 17 Applying NAT
OL-10088-01