how-to block ads
|
earl
@cox.net
| [Config] cisco asa 5505 with multiple outside IP addresses
I have a Cisco 5505 that I am setting up and need to find out how to configure multiple IP address on the outside interface. I need to have an IP for the SSL-VPN and then a separate IP to forward HTTPS traffic to a web server, and other ports such as email. I know with one IP I can configure it with the SSL-VPN, and to forward the non 443 ports, but I do not think I can forward the SSL ports or terminate and have the ASA forward it on one IP. I have the basic license with 50 users. | |
garnetbobcat
join:2007-10-02
| So you have two static addresses from your ISP? If so, then you can just use static NAT for the server and not worry about port forwarding. If not, skip to the bottom.
STATIC NAT
1. SSL VPN traffic terminates on the ASA, so assign the IP address you want users to hit for SSL VPN to the ASA outside interface.
2. Web server traffic flows through the ASA, so use NAT and an ACL to facilitate that. When users connect to the second IP address the ASA will forward connections to that IP address through itself (via translation) to the web server on the inside.
First create a static that maps the server inside address to the second public IP address. Then create an access list to allow access to the ports you want. Use the translated (public) address in the ACL.
Here's a short example for Remote Desktop. Just substitute your web port(s) for 3389 in the example:
»www.cisco.com/en/US/partner/prod···7e.shtml
CHANGE LISTENING PORTS
If I misunderstood and you only have one IP address, then I think you need to change listening ports for either your web server or the SSL VPN server. Try one of these options.
WEB PORTS: Using a static like the one mentioned above, you can forward ports, so do something like forward 8080 on the outside to 80 on the inside, for example. Then your users will connect to IP:8080 for web. Here's an example for static PAT:
»www.cisco.com/en/US/partner/prod···b4.shtml
SSL PORT: You can change the SSL VPN listening port with the port command:
Then your users would just connect to IP:444 for SSL VPN. Here's a link to the config guide:
»www.cisco.com/en/US/partner/docs···p1079847
--
Matt, CCIE Security, »www.wr-mem.com | |
earl
@cox.net
| reply to earl
So If I do the static NAT where do I assign the second IP address fromt he ISP? I have my outside vlan2 configured with the first IP address, but I cannot add a second IP address to that vlan. I do not want to change the SSL port for the VPN which is why I figured I would need two IP address one for the SSL-VPN on 443 and the other to NAT/port forward the HTTPS to the internal webserver.
I have posted my config below, right now I am doing this is in a test environment that is why my ISP IP address is an internal address on our network. I have a separate workstation on the inside interface that I manage the router from.
Also, I thought I had this configured correctly for NATing the 118 address, but I can not browse the internet from the computer I plug into port 3
Thanks.
| |
garnetbobcat
join:2007-10-02
| Great. There is no need to change the SSL VPN port then. You don't need to do any port forwarding (static PAT), either. You can just do plain static NAT.
So far, your NAT configuration is fine for INSIDE--->OUTSIDE traffic from the webserver, but to allow OUTSIDE--->INSIDE to the webserver, you need a static and an access list. Let's say your ISP gave you 10.29.5.71 for the public address of the webserver.
First, configure the static. Note that the "outside" IP address comes first after the parentheses. This can be counter-intuitive.
The static is where you "assign" the second IP address from the ISP. The ASA essentially proxies for the webserver on that address and uses the static translation to pass traffic to and from it. It will pass ANY and ALL traffic to the webserver if you allow it to, but by default NOTHING will pass, because...
On the ASA, you need an access list to allow traffic to flow from low security to high security interfaces. Because the server is on a higher security interface (inside, 100) than the Internet (outside, 0) you need an access list to reach the webserver from the Internet.
The first two lines here allow anyone to access the webserver on ports 80 and 443. Note how the access-list permits traffic to the TRANSLATED address of the webserver. This is the "real" IP address that the ISP assigned you and that you used in the static above. The third line puts the access list on the outside interface, filtering traffic in the inbound direction.
----------
Your current NAT configuration looks right to allow machines on VLAN 3 to traverse the ASA. You say you can't browse the Internet, so some things to check are:
Routing - Are your machines using the ASA as their gateway? The ASA is sending everything to 10.29.5.247, is that the right path to the Internet? Do other hops along the way have a route back to 10.29.5.70 (the ASA outside IP)?
DNS - Do the machines behind the ASA have DNS servers configured? Since you're not doing DHCP, they're not getting them from the ASA.
ICMP - Are you actually trying to ping across the ASA rather than browse the Internet? If that's the case then you need to add ICMP inspection for traffic through the ASA:
--
Matt, CCIE Security, »www.wr-mem.com | |
earl
@cox.net
| reply to earl
Thanks garnetbobocat, I have a long way to go with cisco security.
On the ASA I thought I had it configured to use DNS, if you look on line 47 it shows the name server I am referring to, do I need to have a rule to allow DNS traffic out as well?
Also, I have been trying to add a Godaddy cert for the SSL vpn and I can not get one generated from the CSR generated on the ASA to be accepted on the godaddy site. When I try and submit the CSR that was generated it says you must have the FQDN for the CN. ON the ASA I have installed the Godaddy intermediate CA and used that one to generate the CSR using crypto ca enroll godaddyint and it generated the CSR. I then pasted that output into the godaddy site and it would not take. I have a domain and host name configured on the ASA. I tried to go through the GUI and the only cert I can request via the GUI is from entrust. Will a Godaddy cert not work on the ASA? | |
garnetbobcat
join:2007-10-02
| You're welcome. Everyone's got to start somewhere. :)
You don't need a rule to allow DNS to and from the ASA, but I just noticed that you need to change the DNS lookup interface to the outside (where your DNS server is):
The ASA won't act as a DNS server, so you can't set your PCs to use the ASA inside interface as the DNS server and then expect the ASA to forward the PCs' DNS lookups to 208.67.222.222. Instead, you need to either manually configure 208.67.222.222 on the PCs or use DHCP to hand out DNS server info.
You don't need a rule for DNS from the clients to 208.67.222.222 on the Internet. The stateful firewall on the ASA will allow those connections out and allow the replies back in.
DHCP on the ASA: »www.cisco.com/en/US/products/hw/···d5.shtml
I have seen GoDaddy certs used. Try clearing out what you've done and starting over. These directions have been very successful in my experience:
»www.cisco.com/en/US/products/ps6···ff.shtml
--
Matt, CCIE Security, »www.wr-mem.com | |
-
|
