Configuring ASA Public servers

Answered Question
Jun 3rd, 2010
User Badges:

I have just bought an ASA 5510 and am trying to configure it, but it is not working the way I expect.

I have several internal servers which need to be accessed from the web. If I create a NAT entry for each, and a corresponding access rule, the servers cannot be accessed. If, however, I add the servers in the 'Public Servers' section, it automatically adds the appropriate NAT and Access rule, and it works. My first question is why is this so? Surly adding the NAT and Access rule should work?

Secondly, although it works by adding the servers via Public folders, it only does so by assigning a different public IP for each internal server. I want to assign different ports from one external IP to different internal servers to conserve IP's, but it will not let me do this: adding a server in Public server assigns an IP to that internal server, even though I specify, for example, only smtp as the service. If I try to add another Public server, say http, to another internal machine, it says the external address overlaps with another in use. This can be done by configuring NAT and Access Rule directly, but this doesn't work. I can only access my servers by doing it via Public Servers. is this by design, or am I doing something wrong??

Correct Answer by Federico Coto F... about 7 years 2 weeks ago

Yes, but before attempting the upgrade to 8.3 you need to consider that the NAT configuration changed completely, the entire configuration is more object-group oriented than before, etc. You need extra memory also.


Please review this information prior going to 8.3


Migration guide to 8.3

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html


Release notes

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html


Federico.

Correct Answer by Federico Coto F... about 7 years 3 weeks ago

Yes, you're right.

On the ACLs, the outside (public) IP address needs to be defined.


If you define the private IP on the ACL (for incoming traffic) it will not work because the only IP visible to the Internet is the outside IP.


Actually just as a side note, this is a new improvement on version 8.3

Using 8.3 you can define the private real address on the incoming ACL, so that if you need to change the public IP, you don't need to modify the ACL each time.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Thu, 06/03/2010 - 09:26
User Badges:
  • Green, 3000 points or more

Alan,


To see if you're doing something wrong, please post the output of the following lines from the ASA:


sh run static

sh run access-group

sh run access-list


You can change your sensitive information before posting.


Federico.

alanmsv1234 Thu, 06/03/2010 - 09:50
User Badges:

MSV-ASA# sh run static
static (Inside,Outside) tcp xxx.29 pptp Fileserver pptp netmask 255.255.255.255
static (DMZ,Outside) tcp xxx.27 imap4 pop.m.org imap4 netmask 255.255.255.255
static (DMZ,Outside) tcp xxx.27 pop3 pop.m.org pop3 netmask 255.255.255.255
static (DMZ,Outside) tcp xxx.27 smtp CentOs smtp netmask 255.255.255.255
static (Inside,Outside) xxx.28 Commserver netmask 255.255.255.255



MSV-ASA# sh run access-group
access-group Outside_access_in in interface Outside




MSV-ASA# sh run access-list
access-list Outside_access_in extended permit tcp any host CentOs eq smtp
access-list Outside_access_in extended permit tcp any host xxx.29 eq pptp
access-list Outside_access_in extended permit tcp object-group Webroot host xxx.28 eq smtp
access-list Outside_access_in extended permit tcp any host xxx.28 object-group DM_INLINE_TCP_0
access-list Outside_access_in extended permit tcp any host Fileserver eq pptp
access-list Outside_access_in extended permit tcp any host pop.m.org object-group DM_INLINE_TCP_1

Federico Coto F... Thu, 06/03/2010 - 09:58
User Badges:
  • Green, 3000 points or more

Thank you,


You can share the same public IP address with multiple internal addresses if doing static PAT and that's what you're doing:


static (in,out) tcp public_IP port internal_IP port


You can have the above line multiple times for the same public_IP and for different internal IPs as long as using different ports.

You say the configuration that you posted here works? Or which line(s) gives you problems?


Federico.

alanmsv1234 Thu, 06/03/2010 - 10:04
User Badges:

That config does not work, but I think I've spotted the flaw:

it works if the destination of the access rule is the external IP of the internal server, but does not work if the destination is specified as the internal server (in this case centos). This seems somewhat counter-intuitive to me, and different from the ISR routers, where you do specify the internal name/ip.

I have done all config via the ASDM, not CLI. I am assuming the Public servers config option is a 'user friendly' way of doing the nat and access list in one go?

Correct Answer
Federico Coto F... Thu, 06/03/2010 - 10:12
User Badges:
  • Green, 3000 points or more

Yes, you're right.

On the ACLs, the outside (public) IP address needs to be defined.


If you define the private IP on the ACL (for incoming traffic) it will not work because the only IP visible to the Internet is the outside IP.


Actually just as a side note, this is a new improvement on version 8.3

Using 8.3 you can define the private real address on the incoming ACL, so that if you need to change the public IP, you don't need to modify the ACL each time.


Federico.

alanmsv1234 Fri, 06/04/2010 - 01:03
User Badges:

So, if I upgrade from 8.2 to 8.3, I could use the internal names/ip's in my ACLs? As you say, this would be much more flexible, as I do indeed plan to change external IP scheme eventually.

Correct Answer
Federico Coto F... Fri, 06/04/2010 - 08:44
User Badges:
  • Green, 3000 points or more

Yes, but before attempting the upgrade to 8.3 you need to consider that the NAT configuration changed completely, the entire configuration is more object-group oriented than before, etc. You need extra memory also.


Please review this information prior going to 8.3


Migration guide to 8.3

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html


Release notes

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html


Federico.

Actions

This Discussion