ASA 5505 static NAT setting problem

Answered Question
Feb 25th, 2009
User Badges:

I buy the ASA 5505 firewall and wish to replace the existing PIX 506iE firewall.


In the old topology; there are only inside network 192.168.1.0/24 for server only and 202.**.***.217 is outside public interface. In the old setting, one server map one public ip by static NAT for public access and no other user connect to firewall.


For example:


orginal

inside 192.168.1.10


translated

outside 202.**.***.211


I read the manual of ASA 5505 and it suggest put the server in DMZ but I do not wish to change the network topology. Is it OK for map the outside public IP to inside private IP without using DMZ in ASA5505? Is the setting same as PIX 506iE?

Correct Answer by JORGE RODRIGUEZ about 8 years 3 months ago

(I am not care which service pass from outside in this moment),

So Is the setting in attachment(NAT, Access list) correct now?


As long you are aware of security risks, the rules are correct. Rule is wide opened to connect to any services your 192.168.1.10 host can provide.


Regards




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Wed, 02/25/2009 - 19:12
User Badges:
  • Green, 3000 points or more

kw,


The instructions you have read on asa5505 are the recommended guideline topology scenario using DMZ to place your server isolated from your private network that will be accessed from the outside public inter-network.


You can however do the static NAT mappings the same way you had it before when using PIX506E without using DMZ network.


static (I/O) netmask


and your inbund access rule


Regards


wongkw3008 Wed, 02/25/2009 - 19:25
User Badges:

THX; but is the "inbund access rule" mean the "outside_access_in" rules in ACL Manager?


Is it setting correct?


permit any tcp 202.**.***.211

JORGE RODRIGUEZ Wed, 02/25/2009 - 20:05
User Badges:
  • Green, 3000 points or more

is 202.**.***.211 the ip address of your asa5505 outside interface or is it a spared public IP.


If using outside interface for mapping inside host.


I will trow few examples for few different scenarios.


example-1 :


allowing RDP using outside interface -

static (inside,outside) tcp interface 3389 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 3389 log

access-group outside_access_in in interface outside



example-2


if u want to map several inside hosts using outside ASA5505 interface IP you can do port forwarding:

say you want to allow ftp, www, and 33389 for RDP local lan IPs 192.168.1.10, 11, 12


static (inside,outside) tcp interface 21 192.168.1.10 21 netmask 255.255.255.255

static (inside,outside) tcp interface 80 192.168.1.11 80 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.1.12 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 21 log

access-list outside_access_in extended permit tcp any interface outside eq 80 log

access-list outside_access_in extended permit tcp any interface outside eq 3389 log

access-group outside_access_in in interface outside


example-3


if you have just a single spared public IP you can use is for one static NAT as follows: say public IP is 20.20.20.20


static (inside,outside) 20.20.20.20 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 20.20.20.20 eq 3389 log

access-group outside_access_in in interface outside


you can also do port forwarding with a single spared public IP as shown in example 1



Regards


PLS rate any helpful post if it helps




wongkw3008 Wed, 02/25/2009 - 20:16
User Badges:

202.**.***.211 is the spared public IP so I only need to map it to 192.168.1.10 like existing setting. And I need it can be http access, ftp access and remote access on the Internet. Thx

JORGE RODRIGUEZ Wed, 02/25/2009 - 20:43
User Badges:
  • Green, 3000 points or more

then you simply need static NAT and inbound access rule.


static (inside,outside) 202.**.***.211 192.168.1.10 netmask 255.255.255.255


access-list outside_access_in extended permit tcp any host 202.**.***.211 eq ftp log

access-list outside_access_in extended permit tcp any host 202.**.***.211 eq http log


wongkw3008 Wed, 02/25/2009 - 23:48
User Badges:

So Is the setting in attachment(NAT, Access list) correct now?


(I am not care which service pass from outside in this moment)


quote from show run:


"access-list outside_access_in extended permit tcp any host 202.**.***.211

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,inside) 202.**.***.211 192.168.1.10 netmask 255.255.255.255 "



Attachment: 
Correct Answer
JORGE RODRIGUEZ Thu, 02/26/2009 - 00:54
User Badges:
  • Green, 3000 points or more

(I am not care which service pass from outside in this moment),

So Is the setting in attachment(NAT, Access list) correct now?


As long you are aware of security risks, the rules are correct. Rule is wide opened to connect to any services your 192.168.1.10 host can provide.


Regards




Actions

This Discussion