ASA 5500 config question

Unanswered Question
Sep 8th, 2010

I have an asa 5500 router.  I am routing public traffic to one or more web servers that are behine the firewall.

I have a rule that NAT''s 

outside xxx.xxx.xxx.001 on port 80, to private ip 192.168.1.101 on port 80

outside xxx.xxx.xxx.001 on port 1080, to private ip 192.168.1.40 on port 1080

outside xxx.xxx.xxx.001 on port 2080, to private ip 192.168.1.50 on port 2080

the first entry is an address in a NLB cluster that can be set to any server dynamically.  Entries 2&3 alow me to direct traffic to a desired server (the 192.167.1.40 and 50 are not part of the cluster).

All this works fine.  I want to duplicate this on multiple outside ip's.  For example:

outside xxx.xxx.xxx.002 on port 1080 to private 192.168.1.40 on port 1080

When I try and configure this, I get an error saying it overlaps with another rule.

If this would work, I would use the host header to route the traffic in the web server to the appropriate site.

Is there a way to configure this?  I am using the GUI to configure it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 09/08/2010 - 12:16

davealessi wrote:

I have an asa 5500 router.  I am routing public traffic to one or more web servers that are behine the firewall.

I have a rule that NAT''s 

outside xxx.xxx.xxx.001 on port 80, to private ip 192.168.1.101 on port 80

outside xxx.xxx.xxx.001 on port 1080, to private ip 192.168.1.40 on port 1080

outside xxx.xxx.xxx.001 on port 2080, to private ip 192.168.1.50 on port 2080

the first entry is an address in a NLB cluster that can be set to any server dynamically.  Entries 2&3 alow me to direct traffic to a desired server (the 192.167.1.40 and 50 are not part of the cluster).

All this works fine.  I want to duplicate this on multiple outside ip's.  For example:

outside xxx.xxx.xxx.002 on port 1080 to private 192.168.1.40 on port 1080

When I try and configure this, I get an error saying it overlaps with another rule.

If this would work, I would use the host header to route the traffic in the web server to the appropriate site.

Is there a way to configure this?  I am using the GUI to configure it.

Dave

Unfortunately no. Unless you can use policy NAT ie. identify which source IPs are coming in from the internet to which address then no you can't do this because of the overlap. But is it unlikely you can do this.

Jon

Nagaraja Thanthry Wed, 09/08/2010 - 16:10

Hello,

Here is a sample configuration you could use:

access-list pnat1 permit tcp host 192.168.1.101 eq 1080 any

access-list pnat2 permit tcp host 192.168.1.101 eq 1080 any

static (inside,outside) tcp xxx.xxx.xxx.001 1080 access-list pnat1

static (inside,outside) tcp xxx.xxx.xxx.002 1080 access-list pnat2

This will ensure that the firewall will accept connections on both addresses

and translates it to the inside server.

Hope this helps.

Regards,

NT

Jon Marshall Thu, 09/09/2010 - 01:56

NT

Thanks for posting this. I seem to remember seeing this solution before (on NetPro) but i completely forgot about it +5

Jon

davealessi Sat, 09/11/2010 - 03:58

I am having problems with this...

I created the access lists. (BTW: Is there a way to see the access lists in the GUI?)

When I try and add the static routes, it gives an error message:

"ERROR: access-list used in static has different local addresses"

Here is the accrual stuff I entered:

access-list Nat1 permit tcp host 192.168.1.40 eq 1080 any

access-list Nat1 permit tcp host 192.168.1.50 eq 2080 any

static (inside,outside) tcp xxx.34.249.198 1080 access-list Nat1 (won't take this)

static (inside,outside) tcp xxx.34.249.198 2080 access-list Nat2 (won't take this)

I want traffic on xxx.34.249.198 and xxx.34.249.199 to route traffic to the private address 192.168.1.40 if it comes in on 1080, or 192.168.1.50 if it comes in on 2080.

Nagaraja Thanthry Sat, 09/11/2010 - 07:36

Hello,

You cannot mix the IP addresses in the Policy-NAT. Please try the following.

access-list Nat1 permit tcp host 192.168.1.40 eq 1080 any

access-list Nat2 permit tcp host 192.168.1.40 eq 1080 any

access-list Nat3 permit tcp host 192.168.1.50 eq 2080 any

access-list Nat4 permit tcp host 192.168.1.50 eq 2080 any

static (inside,outside) tcp xxx.34.249.198 1080 access-list Nat1

static (inside,outside) tcp xxx.34.249.199 1080 access-list Nat2

static (inside,outside) tcp xxx.34.249.198 2080 access-list Nat3

static (inside,outside) tcp xxx.34.249.199 2080 access-list Nat4

Hope this helps.

Regards,

NT

davealessi Mon, 09/13/2010 - 02:42

How can I view the access-list in the GUI? I have this partially working, however I am getting errors on some of the rules. I think I may have set them up correctly, and I cannot find how to view or remove them. When I do a show access-list, here is what I get...How do I clean this up?

access-list Mail; 1 elements

access-list Mail line 1 extended permit tcp any any eq smtp (hitcnt=0) 0xe7e20b19

access-list Nat1; 2 elements

access-list Nat1 line 1 extended permit tcp host 192.168.1.40 eq 1080 any (hitcnt=0) 0xacd38216

access-list Nat1 line 2 extended permit tcp host 192.168.1.50 eq 2080 any (hitcnt=0) 0x34dcf205

access-list Nat3; 2 elements

access-list Nat3 line 1 remark Allow access to superglide on isc sites (qa, prod, demo, etc.)

access-list Nat3 line 2 remark Allow access to superglide on isc sites (qa, prod, demo, etc.)

access-list Nat3 line 3 extended permit tcp host 192.168.1.40 eq 1080 any (hitcnt=0) 0x37058c3a

access-list Nat3 line 4 extended permit tcp host 192.168.1.50 eq 2080 any (hitcnt=0) 0x37b82f3d

access-list Nat4; 1 elements

access-list Nat4 line 1 remark Allow access to Ultraglide for ISC sites

access-list Nat4 line 2 extended permit tcp host 192.168.1.50 eq 2080 any (hitcnt=0) 0x89b7258f

access-list inside_nat_static; 1 elements

access-list inside_nat_static line 1 remark Allow access to ISC sites on ultraglide

access-list inside_nat_static line 2 extended permit tcp host 192.168.1.50 eq 2080 any (hitcnt=0) 0xd8718611

Nagaraja Thanthry Mon, 09/13/2010 - 05:34

Hello,

You can see the access-lists by going to

Configuration>Firewall>Access-rules

If a specific set of NAT are not working, can you please make sure that the

server is listening on that port and it's default gateway is set to the

firewall?

Regards,

NT

davealessi Mon, 09/13/2010 - 11:09

I don't see "firewall" under configuration. I see "interfaces", Security policy", "Nat", etc.

Also, when I try and edit the security policy and ass a comment, it gives me errors. Unfortunately, the system will not allow me to copy the error message.

It says - access list Nat4 line2 extended permit tcp host ....... found duplicate element

no access list Nat4 line 3 ...Specified access list does not exist at that line

What does all this mean?

davealessi Mon, 09/13/2010 - 03:25

Please disregard my prior comment. I found how to remove the access lists.

clear config access-list Nat1

clear config access-list Nat2

clear config access-list Nat3

clear config access-list Nat4

access-list Nat1 permit tcp host 192.168.1.40 eq 1080 any

access-list Nat2 permit tcp host 192.168.1.40 eq 1080 any

access-list Nat3 permit tcp host 192.168.1.50 eq 2080 any

access-list Nat4 permit tcp host 192.168.1.50 eq 2080 any

static (inside,outside) tcp xxx.34.249.197 1080 access-list Nat1

static (inside,outside) tcp xxx.34.249.198 1080 access-list Nat2

static (inside,outside) tcp xxx.34.249.197 2080 access-list Nat3

static (inside,outside) tcp xxx.34.249.198 2080 access-list Nat4

After entering the previous commands, it works on Nat1 & Nat2, but not on Nat3 and Nat4.

Ideas?

I would still like to know how to view access lists in the GUI. Is it possible?

Actions

This Discussion

Related Content