Thank you very much for that. It fixed my problem and I can now access my DMZ webserver from outside :). My router was already configured to port forward to my outside interface. Can I ask why I need to use "interface" rather than 172.16.1.1? Is it similar to static routes where u specify either the exit interface or the next hop?

Would it be ok if I asked another quick question?

I am trying to get Authentication up and running now. once again I'm using the ADSM. I have added the an AAA authentication rule for www but it doesn't seem to be prompting me for username and password when I access my website.

I've attached my updated config. many thanks!

When you use port redirection/static PAT/port forwarding (or any of the other names it goes by), using the outside interface IP, you have to use the 'interface' keyword, instead of the IP address. This is actually a good thing, especially for SOHO users whose outside interface IP is dynamically assigned. You also need to use the 'interface outside' keywords with access-lists.

Are you wanting to authenticate in order for people to access your webserver in the DMZ? if so, that has to be done on the web server, not the firewall. ASDM is just the web gui to manage the firewall, it has nothing to do with web server behind the firewall itself.

Thank you for you explanation of setting Nat for the outside interface, it makes sense and yes its a good idea when dhcp is being used ;).

"Are you wanting to authenticate in order for people to access your webserver in the DMZ? if so, that has to be done on the web server, not the firewall. ASDM is just the web gui to manage the firewall, it has nothing to do with web server behind the firewall itself."

Yes I am trying to authenticate my users first before they reach the webserver behind the DMZ.... I thought it could be done. What I am trying to do is the same as the following:

http://safari.oreilly.com/1587052091/ch07lev1sec4

also from "Greg Abelar's" book - Securing Your business with Cisco ASA and PIX firewalls".

Page 151 - Authentication for Inbound and OuBound Services.

It states:

"For example, if you have a website on your DMZ thats is to be accessed only by a few choice users, the ASA/PIX can prompt anyone trying to access that site for a username and password before allowing access."

So from what I've read it can be done... I just can't get it to work :(

thanks again!

A better solution might actually be WebVPN...that will be easier to set up and is probably a bit better suited for what you're trying to do. Not to mention the number of WebVPN deployments at this point greatly out numbers the number of authentication proxy deployments.

Thanks for the suggestion.

I managed to get the authentication proxy up in running in two commands in the end so it was rather simple.

I am in the process of trying to learn about the ASA so I'm just experimenting with it. So I will more than likely test out the Web VPN setup as well.

Thank you very much for you help. Very much appreciated.

No offense but thats no true...Page 345 of 1154 of the Cisco Security Appliance Command Line Configuration Guide Version 8.0 you can enter either {mapped ip | interface}.

To configure static PAT, enter one of the following commands. •For policy static PAT, enter the following command:

hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

Identify the real addresses and destination/source addresses using an extended access list. Create the extended access list using the access-list extended command (see the “Adding an Extended Access List” section on page 16-5). The protocol in the access list must match the protocol you set in this command. For example, if you specify tcp in the static command, then you must specify tcp in the access list. Specify the port using the eq operator.

The first address in the access list is the real address; the second address is either the source or destiniation address, depending on where the traffic originates. For example, to translate the real address 10.1.1.1/Telnet to the mapped address 192.168.1.1/Telnet when 10.1.1.1 sends traffic to the 209.165.200.224 network, the access-list and static commands are:

hostname(config)# access-list TEST extended tcp host 10.1.1.1 eq telnet 209.165.200.224 255.255.255.224

hostname(config)# static (inside,outside) tcp 192.168.1.1 telnet access-list TEST

Sorry is you reply in regards to this comment?

"When you use port redirection/static PAT/port forwarding (or any of the other names it goes by), using the outside interface IP, you have to use the 'interface' keyword, instead of the IP address. This is actually a good thing, especially for SOHO users whose outside interface IP is dynamically assigned. You also need to use the 'interface outside' keywords with access-lists. "

I understand what you saying based on the documentation, but the fact is when I used the mapped ip rather than the"interface" command it didn't work. I'd like to know why myself....

Thats good insight. I'll keep it in the back of my mind. Perhaps you stumbled across a bug Cisco documentation needs to caveat in its documentation or at least developers need to address. Perhaps, both. It was a constructive discussion, you and I.

Later,

Matt

Thanks, But I never really stumbled across it. Infact there could be some other reasoning behind is. srue, is the person who pointed it out. They may be able to explain how they came to that answer.

mlenco,

When you are using any sort of NAT/PAT/ACLs using the IP address of the outside interface, you need to use the interface keyword. If you are using an IP address not associated with an interface, then you use the mapped IP.

In a home environment, or any place where the IP is dynamically assigned, you *want* to use the interface keyword incase the IP address changes.

PIX/ASA will let you enter the command with the interface IP, but as the OP pointed out, it will not work. You will probably need to ask Cisco why this is.