dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



Suggested prerequisite reading
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

For illustration purposes, I use:
* One Cisco PIX Firewall 501 (2 Ethernet ports) and one Cisco PIX Firewall 515 (3 Ethernet ports) running PIX OS version 6.3(3) for sample configurations in OS version 6.3
* One Cisco ASA 5520 (5 Ethernet ports) running OS 7.2(3) for sample configuration in OS 7.0 or later
* ISP provided static IPs
* ISP provided DNS
* Static WAN IP addresses, provided by ISP

Note:
1) When your ISP doesn't use Static IP Address
If your ISP does not use Static IP Address, this configuration can be easily modified to suit other type of ISP connections (i.e. DHCP, PPPoE, PPPoA). Check out other part of this forum's FAQ for such situation.
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco

2) For servers other than FTP
For illustration purposes, I run FTP server behind the router. This configuration can be modified to either have web server, mail server, or just any public servers that run on specific TCP or UDP port/ports. When you run web server, you can replace the TCP port 20 and 21 with TCP port 80 (the standard web port) and possibly also with TCP port 443 (the standard secure web port). As for mail server, replace with TCP port 25 (the standard mail port). For other servers (including print server and anything that need to be accessible from the Internet), confirm your software configuration of the TCP/UDP port it uses.

3) For ASA or PIX Firewall running OS version 7.0 or later
PIX OS version 6.3(3) commands are pretty much similar to the ASA or PIX OS version 7.0 or later. Should you need more sample configurations from different angle or sample configurations on ASA or PIX running OS version 7.0 or later, keep reading to get the preliminary concept overview then proceed to the next discussion.

4) CLI-based sample configuration
As most of the sample configurations here in this Cisco Forum's FAQ, this FAQ also uses CLI commands to provide sample configuration and illustration. Should you be unfamiliar with CLI commands or the ASDM does not work, please have yourself to review the following FAQ to guide you understanding CLI
»Cisco Forum FAQ »Straight-forward way to configure Cisco PIX Firewall/ASA: Introduction to CLI

Background

Brief explanation is in order. In this sample configuration, Ethernet0 interface is for outside network (ISP or WAN physical interface). Ethernet1 is for inside (LAN interface).

The ISP-provided IP Block is 1.1.1.9/24 - 1.1.1.14/24, where 1.1.1.9 is for the Internet traffic, 1.1.1.13 is for the server, and 1.1.1.14 is the PIX WAN interface IP address. The default gateway (the ISP) is 1.1.1.1/24.

This configuration example is for running FTP server, which uses the standard TCP port 20 and 21. You need to permit inbound traffic from the Internet to your LAN by issuing the access-list INBOUND permit tcp any host 1.1.1.13 range 20 21 command.

The LAN uses 10.10.10.0 network with 255.255.255.0 subnet for both servers and workstations. All servers within the LAN use static IP address. The PIX is configured as DHCP server to give out IP info (IP addresses, subnet mask, DNS) to workstations that are configured as DHCP client.

This sample configuration of setup your own servers behind Cisco router suggests multiple possible network design. In general, the suggested network design are either with or without port forwarding. When there is a port forwarding in place, it means there is NAT (Network Address Translation) and/or PAT (Port Address Translation) involved. When there is no port forwarding in place, it means there is no NAT/PAT involved.

Side Note:
For more info on NAT/PAT concept, check out the following FAQ
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

When there is a port forwarding in place, usually all or most of the following setup are in place.
* Servers use private IP address (typically fall under 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 subnets)
* Somewhere along the line between the servers and the Internet, there is a NAT/PAT in place.

In the first part of the sample configuration, the servers use the typical Private IP address and the Cisco router performs the NAT/PAT to bridge communication between the server and the Internet.

When there is no port forwarding in place, usually all or most of the following setup are in place.
* Servers use Public Internet-routeable IP address (typically don't fall under 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 subnets)
* No NAT/PAT in place between the servers and the Internet

In the second part of the sample configuration, the servers use Public IP address directly. The Cisco router does not perform NAT/PAT at all to bridge communication between the server and the Internet since there is no reason to do such.

As best practice, it is suggested not to do NAT/PAT or port forwarding between the server and the Internet when there are multiple Public IP subnets to use or when there is a large Public IP subnet that you can subnet into smaller network. When there is only one Public IP address or small-size subnet, then in general there is no other choice but to deploy NAT/PAT or port forwarding between the server and the Internet.

Evaluating ISP services

* Residential Broadband Internet service
Most likely this kind of service is insufficient to support running Internet-accessible server since most broadband ISP block incoming ports necessary for server connectivity. Upgrading to business account is highly suggested.

* Business Broadband Internet service
This service is the least to support running Internet-accessible server, with having one static Public IP address as minimum requirement. Confirm with your ISP whether you are assigned one static Public IP address or one dynamic IP address.

* Business Dedicated Internet circuit
This service is the norm to support running Internet-accessible server. You have a dedicated fiber, DS-3, or T1/E1 circuit along with circuit ID. The ISP installs their equipment at your facility in a form of Smartjack, managed router, or managed DWDM box which you need to extend to your equipment.

Not sure which services you have? Consult your ISP for further info.

Network Design Considerations

* One Dynamic Public IP address
Dynamic Public IP address is insufficient to support running Internet-accessible server. The consideration is that server connectivity requires stable and persistence traffic flow, which only static Public IP address can provide.

* One Static Public IP address
With only one static Public IP address, most likely you will have to implement PAT since you need to share the IP address for both the Internet-accessible servers and LAN machines to browse the Internet. You could implement NAT when you have at least two ISP where one is dedicated to the Internet-accessible servers and another one to the LAN machines.

* A Block of Static Public IP addresses
Having multiple static Public IP addresses provides leeway which you can dedicate one IP address to Internet browsing while the rest to Internet-accessible servers. In a occasion where you receive two blocks of static Public IP addresses (one block is for WAN and another is for LAN), you can even assign the static Public IP addresses directly to the servers.

Not sure which services you have? Consult your ISP for further info.

First Network Design: There is NAT/PAT in place between the server and the Internet (with port forwarding)

In this part of sample configuration, there will be two PAT in place between Public and Private IP addresses. One is dynamic PAT which uses single Public IP address for all local workstations. Another one is static PAT which uses single Public IP address for servers.

When using NAT/PAT, keep in mind that the Internet-accessible servers are seen from the Internet as their NAT/PAT-ed IP address (the Public IP address) and not the local IP address (not the Private IP address). The connection from the Internet users to the Public IP address will then be forwarded by the NAT/PAT device, which in this case is the ASA/PIX Firewall, according to the ASA/PIX Firewall's routing table. In other words, the ASA/PIX Firewall will (TCP/UDP) port forward connection from the Public IP address to the actual Private IP address after proper network's routing table is in place. This understanding is very important when you or someone need to test connectivity to the server and/or when you need to create filter (access list or ACL for short) to allow only certain incoming traffic from the Internet and block others.

Specifically for firewall devices such as PIX Firewall and ASA, creating such ACL to regulate incoming traffic initiated from the Internet to local LAN is required. On this sample configuration, this ACL is called INBOUND (access-list INBOUND).

Side Note:
For more info on NAT/PAT concept, check out the following FAQ
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

Instruments used in this illustration are pretty much standard for running your own servers. Please note that IP addresses, username, and password are changed. However, you could always modify the configuration to suit your situation.

This sample configuration assumes that you have a block of IP addresses from ISP. There is a dedicated Public IP address for the PIX WAN interface (the Outside interface) and another dedicated Public IP address for the server PAT IP address. In this sample configuration, the network uses 1.1.1.13 IP address as the server Public IP address where the server inside Private IP address is 10.10.10.2. Any other machines use 1.1.1.9 Public IP address to go out to the Internet.

Note that the static PAT is indicated by the static command where the dynamic PAT is indicated by the pair of global and nat commands. You can change the IP address either on the static, global, or nat commands to suit your need or situation.

If you only have single Public IP address for both PIX/ASA Outside interface and server PAT IP address instead of a block of IP addresses, then you use the following commands instead.

static (inside,outside) tcp interface 20 10.10.10.2 20 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 21 10.10.10.2 21 netmask 255.255.255.255 0 0
access-list INBOUND permit tcp any any range 20 21
global (outside) 1 interface
 

With situation of dynamic IP address, at some point you still need to know the exact Public IP address you receive from your ISP for server connection testing and production time. To find out, you can issue show ip address command on the PIX. You will then see the associated outside interface Public IP address.

Note that the static commands above show the static PAT between outside (WAN) interface Public IP address (the one that shows on show ip address command) and Private IP address (the 10.10.10.2).

Between Static and Dynamic IP Address Assignment for LAN Machines

Typically, servers are having static IP addresses where regular workstations are having dynamic IP addresses. As mentioned, all LAN machines (including servers and workstations) are within 10.10.10.0/24 subnet. Let's say you dedicate 10.10.10.1 for the PIX, 10.10.10.2 - 10.10.10.14 for servers, and the rest (10.10.10.15 - 10.10.10.254) for workstations.

This illustration assumes all workstations are receiving dynamic IP address (as DHCP client) from the PIX which is acting as the LAN DHCP server; as indicated by the dhcpd address 10.10.10.15-10.10.10.254 inside command. Since the PIX and servers are having static IP addresses, you exclude 10.10.10.1 - 10.10.10.14 from DHCP pool. This is why the 1st DHCP IP address within the pool is 10.10.10.15 and the last one is 10.10.10.254

Tips

* You can use any computer, running any operating system with any generic FTP or other server software. There is no exclusiveness
* Make sure that the ports you plan to use are not used by other program.
* Also make sure that your ISP does not block the port you plan to use
* You can use generic port scanner software to find out if the port you plan to use is available
* Setup the FTP software to have the FTP server to use port 21 (standard port)
* FYI, port 21 only handle the connection and data is sent over port 20. With both ports PAT'd you will be able to use both PASV & PORT connections to your FTP server
* To verify the configuration, access the server from OUTSIDE network (i.e. from the Internet) and NOT from your own LAN. For this illustration, run an Internet browser (i.e. Internet Explorer, Netscape) and open
ftp://1.0.0.13:21


The Sample Configuration

Finally, here is the "show running-config" output.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
access-list INBOUND permit tcp any host 1.1.1.13 range 20 21
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.14 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 1.1.1.9
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.1.1.13 20 10.10.10.2 20 netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.13 21 10.10.10.2 21 netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.10.15-10.10.10.254 inside
dhcpd dns 68.87.64.196 68.87.66.196
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
 

Note that the static command is where the port forwarding actually takes place between the Public and the Private IP address on specific TCP or UDP port. The ACL INBOUND is only a filter to permit certain incoming traffic initiated from Outside (the Internet).

Command Adjustment for Specific Needs

The above sample configuration shows how to provide FTP access to public. When you need to provide other access type such as Web or Mail, following is the command adjustment needed.

To run Public Web Server, following is the command list
static (inside,outside) tcp 1.1.1.13 80 10.10.10.2 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.13 443 10.10.10.2 443 netmask 255.255.255.255 0 0
object-group service WEB_Services tcp
port-object eq 80
port-object eq 443
access-list INBOUND permit tcp any host 1.1.1.13 object-group WEB_Services
 

To run Public Mail Server, following is the command list
static (inside,outside) tcp 1.1.1.13 25 10.10.10.2 25 netmask 255.255.255.255 0 0
access-list INBOUND permit tcp any host 1.1.1.13 eq 25
 

To run both Public Mail and Web Server where each server resides on different LAN machines, following is the command list.
static (inside,outside) tcp 1.1.1.13 25 10.10.10.2 25 netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.13 80 10.10.10.3 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.13 443 10.10.10.3 443 netmask 255.255.255.255 0 0
object-group service WEB_Services tcp
port-object eq 80
port-object eq 443
access-list INBOUND permit tcp any host 1.1.1.13 eq 25
access-list INBOUND permit tcp any host 1.1.1.13 object-group WEB_Services
 

where 10.10.10.2 is the LAN Mail Server and 10.10.10.3 is the LAN Web Server.

To run both Public Mail and Web Server where each server resides on different LAN machines and each server has its own Public IP address, following is the command list.
static (inside,outside) tcp 1.1.1.12 25 10.10.10.2 25 netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.13 80 10.10.10.3 80 netmask 255.255.255.255 0 0
access-list INBOUND permit tcp any host 1.1.1.12 eq 25
access-list INBOUND permit tcp any host 1.1.1.13 eq 80
 

where 10.10.10.2 is the LAN Mail Server and 1.1.1.12 is the WAN (Public) IP address. Similarly, 10.10.10.3 is the LAN Web Mail Server and 1.1.1.13 is the Public IP address.

If you like to dedicate specific Public IP address for specific LAN machines, then you can implement Static NAT instead as follows.
static (inside,outside) 1.1.1.12 10.10.10.2 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.13 10.10.10.3 netmask 255.255.255.255 0 0
access-list INBOUND permit tcp any host 1.1.1.12 eq 25
access-list INBOUND permit tcp any host 1.1.1.13 eq 80
 

where you dedicate 1.1.1.12 only for 10.10.10.2 machine and dedicate 1.1.1.13 only for 10.10.10.3 machine.

Some discussions

»[Config] Problems with Cisco ASA allowing web traffic through

Having Servers on DMZ

Scenario 1: NAT/PAT for both DMZ and Inside networks

This time there is DMZ network of 10.10.10.0/24 where the Inside network is 10.0.0.0/24. Traffic between DMZ and Inside networks pass as their original IP addresses (as in general, best practice), therefore there is no need to NAT Inside network to access DMZ and vice versa. DMZ network is only allowed to access Inside DNS server (the 10.0.0.2 IP address) and no other Inside hosts while the DMZ network is allowed to access anything Outside (the Internet).

Note that the access-list DMZ only applies when connections are initiated from DMZ machines. Any connections initiated from other network such as Inside and Outside won't be affected by this access-list DMZ.

Following is the sample configuration.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
object-group network Inside_DNS
network-object host 10.0.0.2
object-group network Inside
network-object 10.0.0.0 255.255.255.0
object-group network DMZ
network-object 10.10.10.0 255.255.255.0
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
access-list INBOUND permit tcp any host 1.1.1.13 range 20 21
access-list DMZ permit udp object-group DMZ object-group Inside_DNS eq 53
access-list DMZ deny ip any object-group Inside
access-list DMZ permit ip object-group DMZ any
access-list nonat permit ip object-group Inside object-group DMZ
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 1.1.1.14 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 1.1.1.9
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) tcp 1.1.1.13 20 10.10.10.2 20 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 1.1.1.13 21 10.10.10.2 21 netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
access-group DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.4 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.15-10.0.0.254 inside
dhcpd dns 10.0.0.2 10.0.0.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
 

Scenario 2: NAT/PAT only for Inside network, no NAT/PAT for DMZ network

Second Network Design: There is no NAT/PAT in place between the server and the Internet (without port forwarding)


So far the presented sample configurations use 1.1.1.9/24 - 1.1.1.14/24 as the NAT/PAT IP subnet. In this second part of sample configuration, there is an addition IP subnet of 1.0.0.0/30. Instead of using 1.1.1.9/24 - 1.1.1.14/24, this sample configuration uses 1.1.1.8/29. The 1.0.0.0/30 is used as the NAT/PAT IP subnet for Inside network. DMZ network does not use NAT/PAT at all, instead the DMZ network uses the 1.1.1.8/29 directly.

With DMZ network having the Public IP address of 1.1.1.8/29 directly assigned, there are two points that are established. One is that there is no need to do NAT/PAT for DMZ network since DMZ machines already use Internet-routable Public IP address.

The other established point is to avoid unnecessary DNS BIND to resolve DMZ server name to both Public IP and Private IP addresses. With DMZ network having the Public IP address of 1.1.1.8/29 directly assigned, DMZ server DNS name resolves to always its associated Public IP address regardless of where the incoming traffic come from, either from the Internet or from the Inside network. More info on this issue can be found in the following FAQ.

»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

Now let's describe the network setup. The 1.1.1.8/29 IP subnet is assigned directly to all DMZ machines. A 1.1.1.14 is used as the DMZ network default gateway, which is also the PIX Firewall DMZ interface IP address. The Inside network is 10.0.0.0/24. Traffic between DMZ and Inside networks pass as their original IP addresses (as in general, best practice), therefore there is no need to NAT Inside network to access DMZ and vice versa. DMZ network is only allowed to access Inside DNS server (the 10.0.0.2 IP address) and no other Inside hosts while the DMZ network is allowed to access anything Outside (the Internet). Such access is regulated by the ACL DMZ.

There is no NAT/PAT in place for DMZ network to go out to the Internet as mentioned earlier. In other words, there is no port forwarding in place DMZ network and the Internet. Since there is no NAT/PAT between DMZ network and Inside network, there is no port forwarding in place between DMZ network and the Inside network either. This no-port-forwarding setup is due to the network design of using the actual/original IP addresses instead of using the NAT/PAT IP addresses, as described above.

There is however NAT/PAT in place for Inside network to go out to the Internet. All Inside network machines are PAT-ed to 1.0.0.2 IP address to go out to the Internet, which is the PIX Firewall Outside interface IP address.

The DMZ network still hosts FTP server, which is directly assigned 1.1.1.13 IP address. For security, there is ACL INBOUND to permit only necessary incoming traffic from the Internet and block others.

Following is the sample configuration.

1. In OS version 6.3

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
object-group network Inside_DNS
network-object host 10.0.0.2
object-group network Inside
network-object 10.0.0.0 255.255.255.0
object-group network DMZ
network-object 1.1.1.8 255.255.255.248
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
access-list INBOUND permit tcp any host 1.1.1.13 range 20 21
access-list DMZ permit udp object-group DMZ object-group Inside_DNS eq 53
access-list DMZ deny ip any object-group Inside
access-list DMZ permit ip object-group DMZ any
access-list nonat permit ip object-group Inside object-group DMZ
access-list nonat_dmz permit ip object-group DMZ any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 1.0.0.2 255.255.255.252
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 1.1.1.14 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list nonat_dmz
access-group INBOUND in interface outside
access-group DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 1.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.4 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.15-10.0.0.254 inside
dhcpd dns 10.0.0.2 10.0.0.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
 

2. In OS version 7.0 to 8.2

ASA Version 7.2(3) 
!
hostname asafirewall
enable password ***** encrypted
names
!
interface GigabitEthernet0/0
 description Facing the Internet
 nameif outside
 security-level 0
 ip address 1.0.0.2 255.255.255.252 
!
interface GigabitEthernet0/1
 description Facing LAN
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 description DMZ
 nameif dmz
 security-level 50
 ip address 1.1.1.14 255.255.255.248
!
interface GigabitEthernet0/3
 shut
!
interface Management0/0
 shut
!
passwd ****** encrypted
object-group icmp-type ICMP-INBOUND  
icmp-object 0  
icmp-object 3  
icmp-object 11  
object-group network Inside_DNS  
network-object host 10.0.0.2  
object-group network Inside  
network-object 10.0.0.0 255.255.255.0  
object-group network DMZ  
network-object 1.1.1.8 255.255.255.248  
access-list INBOUND permit icmp any any object-group ICMP-INBOUND  
access-list INBOUND permit tcp any host 1.1.1.13 range 20 21  
access-list DMZ permit udp object-group DMZ object-group Inside_DNS eq 53  
access-list DMZ deny ip any object-group Inside  
access-list DMZ permit ip object-group DMZ any  
access-list nonat permit ip object-group Inside object-group DMZ
access-list nonat_dmz permit ip object-group DMZ any 
pager lines 24
no logging enable
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat_dmz
access-group INBOUND in interface outside
access-group DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 1.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.4 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.15-10.0.0.254 inside
dhcpd dns 10.0.0.2 10.0.0.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
!             
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
: end
 

OS Version 8.3 or later

ASA Version 8.4(1) 
!
hostname asafirewall
enable password ***** encrypted
names
!
interface GigabitEthernet0/0
 description Facing the Internet
 nameif outside
 security-level 0
 ip address 1.0.0.2 255.255.255.252 
!
interface GigabitEthernet0/1
 description Facing LAN
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 description DMZ
 nameif dmz
 security-level 50
 ip address 1.1.1.14 255.255.255.248
!
interface GigabitEthernet0/3
 shut
!
interface Management0/0
 shut
!
passwd ****** encrypted
object-group service ICMP-INBOUND  
icmp 0  
icmp 3  
icmp 11  
object-group network Inside_DNS  
network-object host 10.0.0.2  
object-group network Inside  
network-object 10.0.0.0 255.255.255.0  
object-group network DMZ  
network-object 1.1.1.8 255.255.255.248  
access-list INBOUND permit icmp any any object-group ICMP-INBOUND  
access-list INBOUND permit tcp any host 1.1.1.13 range 20 21  
access-list DMZ permit udp object-group DMZ object-group Inside_DNS eq 53  
access-list DMZ deny ip any object-group Inside  
access-list DMZ permit ip object-group DMZ any  
access-list nonat permit ip object-group Inside object-group DMZ
access-list nonat_dmz permit ip object-group DMZ any 
pager lines 24
no logging enable
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
!
object network OBJ_GENERIC_ALL 
 subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
!
object network Inside_nonat
group-object Inside
object network Inside-DMZ_nonat
group-object Inside
nat (inside,dmz) static Inside-DMZ_nonat
!
object network DMZ_nonat
group-object DMZ
object network DMZ-Outside_nonat
group-object DMZ
nat (dmz,outside) static DMZ-Outside_nonat
!
access-group INBOUND in interface outside
access-group DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 1.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.4 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.15-10.0.0.254 inside
dhcpd dns 10.0.0.2 10.0.0.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
!             
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
: end
 

More Sample Configurations

As mentioned, PIX OS version 6.3(3) commands are pretty much similar to the ASA or PIX OS version 7.0 or later. Should you need more sample configurations from different angle or sample configurations on ASA or PIX running OS version 7.0 or later, you can check out the following links.

Run Mail Server on DMZ Network
PIX running OS 6.3 image
PIX/ASA running OS 7.0 image or newer

Run Mail Server on Inside Network
PIX running OS 6.3 image
PIX/ASA running OS 7.0 image or newer

Run Mail Server on Outside Network
PIX running OS 6.3 image
PIX/ASA running OS 7.0 image or newer

PIX Firewall - Router Combo
»Cisco Forum FAQ »Internet - PIX/ASA - Router - LAN
»Cisco Forum FAQ »Internet - Router - PIX/ASA - LAN

Some Discussions
»[Config] cisco 5520

Testing Connectivity

To test your design and configuration, basically you need to use Public IP address that is not within the same subnet as your ISP-assigned IP addresses. Here is some clarification.

In this example, the 1.1.1.8/29 subnet is the ISP-assigned IP addresses that you use for the servers. When you are testing the connectivity, your connection has to come from IP address that is not within the 1.1.1.8/29 subnet. Something like connection test from your neighbor, office, or even local coffee shop should do since those places have their own ISP-assigned IP address that are not the same as yours.

Note that this requirement in connection testing is not some debug or firewall incapability issue, but rather it is to comply with RFC 3022 as industry standard mentioned in the prerequisite reading (top of the page), to ensure the firewall is functioning reliably.

Some illustration.
»RDP from Internet w/ Cisco Router in place...

Note on Running Microsoft Exchange Mail service with ASA/PIX Firewall running OS version 7.0 or later

The OS version 7.0 introduces a new feature called ESMTP inspection that supercede the older OS SMTP inspection. This new feature was created to inspect ESMTP (Extended SMTP) traffic in addition to standard SMTP traffic. This new inspection is based on the industry standard RFC 1869 about the ESMTP protocol definition and mechanism.

Specifically for the OS version 7.x, only the following SMTP (and ESMTP) mail commands are allowed to pass through by default. All other commands are blocked by default, based on RFC 2821 Section 4.5.1: Minimum Implementation

AUTH, DATA, EHLO, ETRN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY

The reason of such default behavior is due to security and is based on RFC requirement of minimum implementation of ESMTP mail server mechanism.

Unfortunately Microsoft Exchange ESMTP implementation does not comply with the RFC 2821 for some reason. Therefore there might be issues when MS Exchange is used to host mail server behind ASA/PIX Firewall running OS version 7.x.

To mitigate the issue, some people chose just to remove SMTP inspection off the configuration completely. This decision is unwise since then the ASA/PIX Firewall will never provide proper security protection against SMTP traffic. The proper decision should be modifying the SMTP inspection default behavior to suit such specific need. When you need to modify default behavior of ASA/PIX Firewall in which ESMTP commands are permitted to pass, you can check out the following official Cisco documentation to do such.

Managing SMTP and Extended SMTP Inspection

Starting OS version 8.x however, somehow this MS Exchange-ESMTP inspection issue is resolved. Therefore you may want to skip running OS version 7.x and go straight to run OS version 8.x should you need to run MS Exchange server behind an ASA/PIX Firewall.

Sample Configurations of Enabling and/or Modifying Default Inspection on some protocols

Check out the following official Cisco documentations.

ESMTP TLS Configuration
PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example
Disable Default Global Inspection and Enable Non-Default Application Inspection

Troubleshooting

FTP Server related
Active FTP vs. Passive FTP, a Definitive Explanation
»FTP server doesn't work on port 21, works on other ports

Discussions

»[HELP] Just when I thought I had this ASA cracked....
»[Config] Pix 515e ACL setup help
»[Config] PIX 515e v8.0 routing/DMZ/ACL assistance & opinions nee
»[HELP] NAT vs Route vs ACL -ASA5505
»ASA 5505 -Can I use outside dynamic IP for webserver DMZ?

Expand got feedback?

by aryoba See Profile
last modified: 2014-09-03 10:14:28