02-25-2009 05:46 PM - edited 03-04-2019 03:43 AM
I buy the ASA 5505 firewall and wish to replace the existing PIX 506iE firewall.
In the old topology; there are only inside network 192.168.1.0/24 for server only and 202.**.***.217 is outside public interface. In the old setting, one server map one public ip by static NAT for public access and no other user connect to firewall.
For example:
orginal
inside 192.168.1.10
translated
outside 202.**.***.211
I read the manual of ASA 5505 and it suggest put the server in DMZ but I do not wish to change the network topology. Is it OK for map the outside public IP to inside private IP without using DMZ in ASA5505? Is the setting same as PIX 506iE?
Solved! Go to Solution.
02-26-2009 12:54 AM
(I am not care which service pass from outside in this moment),
So Is the setting in attachment(NAT, Access list) correct now?
As long you are aware of security risks, the rules are correct. Rule is wide opened to connect to any services your 192.168.1.10 host can provide.
Regards
02-25-2009 07:12 PM
kw,
The instructions you have read on asa5505 are the recommended guideline topology scenario using DMZ to place your server isolated from your private network that will be accessed from the outside public inter-network.
You can however do the static NAT mappings the same way you had it before when using PIX506E without using DMZ network.
static (I/O)
and your inbund access rule
Regards
02-25-2009 07:25 PM
THX; but is the "inbund access rule" mean the "outside_access_in" rules in ACL Manager?
Is it setting correct?
permit any tcp 202.**.***.211
02-25-2009 08:05 PM
is 202.**.***.211 the ip address of your asa5505 outside interface or is it a spared public IP.
If using outside interface for mapping inside host.
I will trow few examples for few different scenarios.
example-1 :
allowing RDP using outside interface -
static (inside,outside) tcp interface 3389
access-list outside_access_in extended permit tcp any interface outside eq 3389 log
access-group outside_access_in in interface outside
example-2
if u want to map several inside hosts using outside ASA5505 interface IP you can do port forwarding:
say you want to allow ftp, www, and 33389 for RDP local lan IPs 192.168.1.10, 11, 12
static (inside,outside) tcp interface 21 192.168.1.10 21 netmask 255.255.255.255
static (inside,outside) tcp interface 80 192.168.1.11 80 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.12 3389 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any interface outside eq 21 log
access-list outside_access_in extended permit tcp any interface outside eq 80 log
access-list outside_access_in extended permit tcp any interface outside eq 3389 log
access-group outside_access_in in interface outside
example-3
if you have just a single spared public IP you can use is for one static NAT as follows: say public IP is 20.20.20.20
static (inside,outside) 20.20.20.20
access-list outside_access_in extended permit tcp any host 20.20.20.20 eq 3389 log
access-group outside_access_in in interface outside
you can also do port forwarding with a single spared public IP as shown in example 1
Regards
PLS rate any helpful post if it helps
02-25-2009 08:16 PM
202.**.***.211 is the spared public IP so I only need to map it to 192.168.1.10 like existing setting. And I need it can be http access, ftp access and remote access on the Internet. Thx
02-25-2009 08:43 PM
then you simply need static NAT and inbound access rule.
static (inside,outside) 202.**.***.211 192.168.1.10 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 202.**.***.211 eq ftp log
access-list outside_access_in extended permit tcp any host 202.**.***.211 eq http log
02-25-2009 11:48 PM
So Is the setting in attachment(NAT, Access list) correct now?
(I am not care which service pass from outside in this moment)
quote from show run:
"access-list outside_access_in extended permit tcp any host 202.**.***.211
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,inside) 202.**.***.211 192.168.1.10 netmask 255.255.255.255 "
02-26-2009 12:54 AM
(I am not care which service pass from outside in this moment),
So Is the setting in attachment(NAT, Access list) correct now?
As long you are aware of security risks, the rules are correct. Rule is wide opened to connect to any services your 192.168.1.10 host can provide.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide