| [Config] ASA 5505 - static NAT with multiple public IPsI am having quite the time getting this ASA 5505 (ASDM 5.2, ASA 7.2) configured correctly. Here's what I'm trying to do:
There are two new servers on the LAN. One is running Exchange 2003, and the other is a web server with IIS and Tomcat. The Exchange box has one NIC configured with a LAN IP, and the web server has two configured with two LAN IPs. I have three available public IPs from the ISP that I need to point to their respective LAN servers. Based on all the threads I've been reading, static NAT rules are the way to go.
I've based my configuration on info from the second to last post in the following thread:
»[HELP] asa 5505 with 2 public IPs
I've got it all configured, but if I run a portscan on the Exchange box from ShieldsUP, none of the ports appear to be open.
Any help would be HUGELY appreciated!
ASA - LAN 192.168.1.1, WAN 10.10.10.10
Exchange - LAN 192.168.1.20, WAN 10.10.10.10
Web - LAN1 192.168.1.21, WAN1 10.10.10.11; LAN2 192.168.1.22, WAN2 10.10.10.12
Here's my config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(3)
!
hostname myasa
domain-name mydomain.com
enable password mypassword encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.10 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd mypassword encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network mydatacenter
network-object 192.168.45.0 255.255.255.0
object-group network WEBSERVER
network-object host 192.168.1.21
network-object host 192.168.1.22
network-object host 10.10.10.11
network-object host 10.10.10.12
object-group network EXCHANGE
network-object host 192.168.1.20
network-object host 10.10.10.10
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.160 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.45.0 255.255.255.0
access-list mycompany_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list OUTSIDE_IN extended permit tcp any host 10.10.10.10 eq smtp
access-list OUTSIDE_IN extended permit tcp any host 10.10.10.10 eq https
access-list OUTSIDE_IN extended permit tcp any host 10.10.10.11 eq www
access-list OUTSIDE_IN extended permit tcp any host 10.10.10.12 eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.1.175-192.168.1.190 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 10.10.10.11 www 192.168.1.21 www netmask 255.255.255.255
static (inside,outside) tcp 10.10.10.12 www 192.168.1.22 www netmask 255.255.255.255
static (inside,outside) tcp 10.10.10.10 smtp 192.168.1.20 smtp netmask 255.255.255.255
static (inside,outside) tcp 10.10.10.10 https 192.168.1.20 https netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 10.10.10.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host outside 10.100.1.15 community datacenter.net
snmp-server location somewhere MA
snmp-server contact My Name
snmp-server community MyCompany
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set peer 11.11.11.11
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.10
!
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 192.168.1.10 interface inside
dhcpd domain mydomain.com interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy mycompany internal
group-policy mycompany attributes
dns-server value 192.168.1.5 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value mycompany_splitTunnelAcl
default-domain value mydomain
vpn-group-policy mycompany
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.12 ipsec-attributes
pre-shared-key *
tunnel-group cbtech type ipsec-ra
tunnel-group cbtech general-attributes
address-pool vpnpool
default-group-policy mycompany
tunnel-group mycompan ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:495554f0a3293514b38b6a69ced5b824
: end
|
|
 RyanG1Premium
join:2002-02-10
San Antonio, TX | i dont see where you are applying your access-list to inbound traffic on the outside interface.
access-group OUTSIDE_IN in interface outside
will apply that access-list to any inbound traffic from the outside interface.
Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams |
|
| 
Access List |
Looks like there's a rule to drop all packets from the outside. Shouldn't the other rules take precedence? |
|
RyanG1Premium
join:2002-02-10
San Antonio, TX | reply to brightedge
if you are doing a packet-trace using the outside interface for incoming traffic but using the source IP of your inside network then it will be blocked.
packet-trace input outside tcp 1.1.1.1 80 10.10.10.10 80
that will simulate an external connection from 1.1.1.1 on source port 80 to destination 10.10.10.10 (wan IP) on port 80. The firewall will then NAT the traffic based off of your access-lists and nat config.
Again though, the config you posted does not show you are assigning an access-list to any interfaces.
Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams |
|
| reply to RyanG1
Ryan, thank you for your reply.
I added that line and saved changes. ShieldsUP still states that all ports are blocked. Did I miss something? Is there something that is trumping the static rules/access list?
Could this have anything to do with it?
»www.mailbeyond.com/nat-routing-p···asa-5505
Here are the access-list and static lines I have:
access-list OUTSIDE_IN extended permit tcp any host 10.10.10.10 eq smtp
access-list OUTSIDE_IN extended permit tcp any host 10.10.10.10 eq https
access-list OUTSIDE_IN extended permit tcp any host 10.10.10.11 eq www
access-list OUTSIDE_IN extended permit tcp any host 10.10.10.12 eq www
static (inside,outside) tcp 10.10.10.11 www 192.168.1.21 www netmask 255.255.255.255
static (inside,outside) tcp 10.10.10.12 www 192.168.1.22 www netmask 255.255.255.255
static (inside,outside) tcp 10.10.10.10 smtp 192.168.1.20 smtp netmask 255.255.255.255
static (inside,outside) tcp 10.10.10.10 https 192.168.1.20 https netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
|
|
| reply to RyanG1
Not sure why, but my post with the packet trace showed up in the thread before the one with the new config results, even though I posted it after...
Anyway, I ran another trace (this time with the correct IPs...), but it still gets denied. Is the rule highlighted in my previous screenshot blocking incoming traffic? If so, it doesn't look like I can delete it - at least not from ASDM. If I can delete it from the CLI, will the deletion cause all inbound traffic to be allowed, or does the access list/static NAT control what can come through?
Thanks again for your replies!! Here's the result of the trace:
Result of the command: "packet-trace input outside tcp 1.1.1.1 25 10.10.10.10 25"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp 10.10.10.10 smtp 192.168.1.20 smtp netmask 255.255.255.255
match tcp inside host 192.168.1.20 eq 25 outside any
static translation to 10.10.10.10/25
translate_hits = 0, untranslate_hits = 107
Additional Information:
NAT divert to egress interface inside
Untranslate 10.10.10.10/25 to 192.168.1.20/25 using netmask 255.255.255.255
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.10 255.255.255.255 identity
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
|
|
|
|
| reply to RyanG1
Perhaps something is awry with my static NAT rules? I've attached a screenshot... |
|
RyanG1Premium
join:2002-02-10
San Antonio, TX | reply to brightedge
the rule that shows it as denying the traffic is the implicit deny rule meaning that if you did not allow it in the ACL then the firewall denies it; The rule cannot be deleted.
Im not seeing anything missing from your config (assuming what was posted was the exact config). The only thing i can suggest would be to add the following to test:
access-list OUTSIDE_IN extended permit tcp any any
if its still getting blocked it may be a bug in that revision of the ASA code. I know at work we use 8.0(5)23 as 7.2x had many bugs and thats what im running on my ASA here.
The only other thing that you could change (at least for the static port mappings that use the firewalls IP) would be:
static (inside,outside) tcp interface smtp 192.168.1.20 smtp netmask 255.255.255.255
instead of
static (inside,outside) tcp 10.10.10.10 smtp 192.168.1.20 smtp netmask 255.255.255.255
In 8.x it will typically refuse to add the static entry if the IP is the same as the outside interface.
Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams |
|
| Changing the static from the firewall IP to interface fixed it! I just ran a ShieldsUP and it showed 25 as open, and 443 as "exists but closed" (probably because I haven't enabled secure connections in Exchange yet.
Thank you thank you thank you for your help and suggestions  |
|
RyanG1Premium
join:2002-02-10
San Antonio, TX | Huzzah!
You're welcome and I'm glad its working for you. =)
Ryan |
|
