Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2001
Views
0
Helpful
6
Replies

CISCO ASA 8.3 : Public Servers

anthonymedaglia
Level 1
Level 1

‎09-27-2010 05:36 AM - edited ‎03-11-2019 11:45 AM

Hi,

I've a problem with the configuration of ASA 8.3 to publish internal servers on output interface with Public Servers Feature.

In fact I have a pool of public IP adress from my ISP. The first is used by the output interface on ASA. I want to use others IP to join internal server on my LAN.

For example :

195.10.10.1 --> ASA output Interface (WAN)

192.168.10.1 --> Input interface (LAN)
195.10.10.2 -- > ASA --> 192.168.10.2 (Web server HTTP/HTTPS)

195.10.10.3 -- > ASA --> 192.168.10.3 (FTP Server)

195.10.10.4 -- > ASA --> 192.168.10.4 (Remot Desktop 3389)

I've configured the Public Servers feature like that (example for 1 server) :

Private int : inside

Private add : 192.168.10.4

Private service : RDP (TCP 3389)

Public int : Outside

Public add : 195.10.10.4

This feature add automatically some rules (Static NAT Rule and Access rule), so I think that the configuration is correct.

BUT it doesn't work. I have no answer from 195.10.10.4. The RDP connection doesn't work and i'ts the same for ping.

Thanks for your help to resolve this issue !!!

Labels:
0 Helpful
6 Replies 6

Jitendriya Athavale
Cisco Employee
Cisco Employee

‎09-27-2010 06:33 AM

could you please paste the config for nat, paste output of command

sh run nat

also check the access-list on the outside, in 8.3 and above when you add an access-list you will need to permit real ip's and not translated ip's

since you have real ip on outside as weel i think you must have done it right but in any case if at all you have used the same ip in order to hide the public ip then please check the access-list as well

0 Helpful

anthonymedaglia
Level 1
Level 1
In response to Jitendriya Athavale

‎09-27-2010 06:52 AM

Thanks for your reply

The acces rule is :

accesss-list outside_access extended permit ip any host 192.168.10.4  --> It's the good LAN adress

(This rule accept all IP traffic in first time for test)

The NAT configuration is

object network PublicServer_NAT2

nat (inside,outside) static A_195.10.10.4 --> The correct Public adress

I test the config with Packet tracer include into ASDM and the result is great : The packet is allowed.

So i don't understand the issue.

Thanks a lot.

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to anthonymedaglia

‎09-27-2010 07:23 AM

can you collect some captures, and also if you have other statics are they working fine

check if you have this command

by issueing the command show run all sysopt

no sysopt noproxyarp outside from the 192.168.1.4 server see if you can ping outside (basically check if you can get out when you initiate from inside from this server )

also collect captures on the outside interface and see if you see packets going and coming to firewall for this particular ip

for example

capture capout interface outside match ip host 192.168.1.4 host 4.2.2.2

0 Helpful

anthonymedaglia
Level 1
Level 1
In response to Jitendriya Athavale

‎09-27-2010 07:51 AM

Thanks,

I don't understand the aim of the show run all sysopt command but the result is :

Result of the command: "show run all sysopt"

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside

On Log monitoring I Have no trace about any connection on 195.10.10.4.

I try your suggest about ping on 192.168.10.4 and you alright, the server doesn't ping. In fact is due to the public servers configuration because on log monitorig I see : Built outbound ICMP connection for faddr 66.249.92.104 gaddr 195.10.10.4 laddr 192.168.10.4 (It a ping to google, faddr is google address).

The server try to connect to internet with the 195.10.10.4 public address, it use the Static NAT for Public Server configuration ?

Thanks a lot.

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to anthonymedaglia

‎09-27-2010 09:04 AM

hi Anthony,

i am not sure if i understood you right, please correct me if i am wrong

you have pinged from outside to 192.168.1.4, which is on inside

what i wouldl ike you to do is try to ping from 192.168.1.4 to outside and capture the tarffic flow, this will confirm if the static nat is working fine

also on the upstream device check the arp entry for htis 192.168.1.4 ip, see if it is the firewall mac address, if not try hard coding that (this step only if you see poackets leaving and not coming back in your captures)

0 Helpful

anthonymedaglia
Level 1
Level 1
In response to Jitendriya Athavale

‎09-27-2010 09:19 AM

Thank for your replay but I resolved the problem myself.

In fact I manually add a static ARP entry to link my public IP address 195.10.10.4 to the MAC address of my WAN interface.

Now IT Working !!!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card