how-to block ads
|
JR
@asisna.com
|  [Config] ASA Port Forwarding Help
I'm having a heck of a time trying to port forward with an ASA. Keep in mind, I am in no way a Cisco guy but I'm forced to try at my current position.
My situation is this: Need to Port Forward HTTPS Traffic through my ASA to a server on the inside network at 192.168.10.87. Every time I create a rule inside of the ASDM nothing happens and it doesn't forward at all.
If anyone could PLEASE write this rule for me, I would really appreciate it. Here is my config:
User Access Verification
Username: ********
Password: *********
Type help or '?' for a list of available commands.
palouseFW> em
^
ERROR: % Invalid input detected at '^' marker.
ASAFW> en
Password:
Password:
Password:
Access denied.
asaFW> en
Password: *********
asaFW# show running-config
: Saved
:
ASA Version 7.0(8)
!
hostname asaFW
domain-name testing.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
multicast-routing
names
dns-guard
!
interface Ethernet0/0
description Public Interface
nameif outside
security-level 0
ip address 72.150.82.66 255.255.255.192
no igmp
!
interface Ethernet0/1
description Inside Interface
nameif inside
security-level 100
ip address 192.168.10.2 255.255.255.0
!
interface Ethernet0/2
description DMZ for Mainframe
nameif nx4201
security-level 60
ip address 192.1.14.1 255.255.255.0
!
interface Ethernet0/3
description MPLS
shutdown
nameif MPLS
security-level 100
ip address 192.168.14.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner login This is a private computer facility, protected by a security system
. Access to and use requires explicit
banner login written, current authorization and is limited to purposes of the or
ganization's business.
banner login Unauthorized access or attempts to use, alter, destroy, or damage d
ata, programs, or equipment may
banner login violate applicable local, state, or federal law and could result in
criminal prosecution, civil liability, or both.
boot system disk0:/asa803-k8.bin
boot system disk0:/asa708-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 1
92.1.14.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 1
92.1.14.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 1
92.1.14.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 1
92.1.14.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 1
92.1.14.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 1
92.1.14.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 1
92.168.18.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 1
92.168.19.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 1
92.168.20.0 255.255.255.0
access-list 100 extended permit ip 192.168.10.0 255.255.255.0 192.1.14.0 255.255
.255.0
access-list 100 extended permit ip 192.168.11.0 255.255.255.0 192.1.14.0 255.255
.255.0
access-list 100 extended permit ip 192.168.12.0 255.255.255.0 192.1.14.0 255.255
.255.0
access-list 100 extended permit ip 192.168.13.0 255.255.255.0 192.1.14.0 255.255
.255.0
access-list 100 extended permit ip 192.168.15.0 255.255.255.0 192.1.14.0 255.255
.255.0
access-list 100 extended permit ip 192.168.17.0 255.255.255.0 192.1.14.0 255.255
.255.0
access-list 100 extended permit ip 192.1.14.0 255.255.255.0 192.168.10.0 255.255
.255.0
access-list 100 extended permit ip 192.1.14.0 255.255.255.0 192.168.11.0 255.255
.255.0
access-list 100 extended permit ip 192.1.14.0 255.255.255.0 192.168.12.0 255.255
.255.0
access-list 100 extended permit ip 192.1.14.0 255.255.255.0 192.168.13.0 255.255
.255.0
access-list 100 extended permit ip 192.1.14.0 255.255.255.0 192.168.15.0 255.255
.255.0
access-list 100 extended permit ip 192.1.14.0 255.255.255.0 192.168.17.0 255.255
.255.0
access-list 100 extended deny ip any any
access-list 101 extended permit ip 192.168.10.0 255.255.255.0 192.168.18.0 255.2
55.255.0
access-list 102 extended permit ip 192.168.10.0 255.255.255.0 192.168.19.0 255.2
55.255.0
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging from-address Fairfield-FW@palouse1.local
logging host inside 192.168.10.199
mtu outside 1500
mtu inside 1500
mtu nx4201 1500
mtu MPLS 1500
mtu management 1500
ip local pool RemoteAccess 192.168.20.100-192.168.20.200 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp deny any outside
icmp permit any inside
icmp permit 192.1.14.0 255.255.255.0 nx4201
asdm image disk0:/asdm508.bin
asdm history enable
arp timeout 14400
global (outside) 101 12.150.82.126 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 192.168.10.0 255.255.255.0
nat (inside) 101 192.168.11.0 255.255.255.0
nat (inside) 101 192.168.12.0 255.255.255.0
nat (inside) 101 192.168.13.0 255.255.255.0
nat (inside) 101 192.168.14.0 255.255.255.0
nat (inside) 101 192.168.15.0 255.255.255.0
nat (inside) 101 192.168.17.0 255.255.255.0
access-group 100 in interface nx4201
route outside 0.0.0.0 0.0.0.0 12.150.82.65 1
route outside 192.168.20.0 255.255.255.0 192.168.10.2 1
route inside 192.168.11.0 255.255.255.0 192.168.10.4 1
route inside 192.168.12.0 255.255.255.0 192.168.10.4 1
route inside 192.168.13.0 255.255.255.0 192.168.10.4 1
route inside 192.168.15.0 255.255.255.0 192.168.10.4 1
route inside 192.168.17.0 255.255.255.0 192.168.10.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 192.168.10.88
default-domain value palouse
webvpn
username DataPro password iaaqwlirXxC8/hqq encrypted privilege 15
username fairfield password 3CkZJXm/13/uhfIg encrypted privilege 15
username sdruffell password UK5Es6.fyidMxg2i encrypted privilege 0
username sdruffell attributes
vpn-group-policy RemoteAccess
webvpn
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.10.50 255.255.255.255 inside
http 192.168.10.81 255.255.255.255 inside
http 192.168.10.87 255.255.255.255 inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds
28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobyte
s 4608000
crypto map OUTSIDE_MAP 20 match address 101
crypto map OUTSIDE_MAP 20 set peer 24.117.110.57
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-MD5
crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP 20 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 30 match address 102
crypto map OUTSIDE_MAP 30 set peer 10.254.254.254
crypto map OUTSIDE_MAP 30 set transform-set ESP-AES-MD5
crypto map OUTSIDE_MAP 30 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP 30 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map OUTSIDE_MAP interface outside
crypto map outside_map 30 set peer 75.148.59.222
crypto map outside_map 30 set security-association lifetime seconds 28800
crypto map outside_map 30 set security-association lifetime kilobytes 4608000
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp disconnect-notify
tunnel-group 24.117.110.57 type ipsec-l2l
tunnel-group 24.117.110.57 ipsec-attributes
pre-shared-key *
tunnel-group 10.254.254.254 type ipsec-l2l
tunnel-group 10.254.254.254 ipsec-attributes
pre-shared-key *
tunnel-group RemoteAccess type ipsec-ra
tunnel-group RemoteAccess general-attributes
address-pool RemoteAccess
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *
telnet 192.168.10.50 255.255.255.255 inside
telnet 192.168.10.81 255.255.255.255 inside
telnet 192.168.10.87 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 30
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
!
service-policy global_policy global
smtp-server 192.168.10.87
Cryptochecksum:e6307a77e893712e6d009143e5cc1df5
: end
ASAFW# | |
JR
@asisna.com
| Okay here are the commands I believe I should enter but I'm just not sure...Again, any help would be appreciated.
access-list outside-entry extended permit tcp any host 72.150.82.66 eq https
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
static (inside,outside) tcp 72.150.82.66 https 192.168.10.87 https netmask 255.255.255.255 | |
JR
@asisna.com
| reply to JR
Okay I believe I got it...
Entered in the following and now it appears to be working.
access-list inbound permit tcp any interface outside eq https
access-group inbound in interface outside
static (inside,outside) tcp interface https 192.168.10.87 https netmask 255.255.255.255 | |
-
|
