03-08-2012 11:02 AM - edited 03-11-2019 03:39 PM
Our external security department needs to scan, every three months, a computer behind the firewall. I need to create a simple NAT rule that will allow an ip address or subnet to the computers behind the ASA 5505. At the moment, we have a simple NAT rule which allow all network traffic to exit from inside to outside. Can you post a NAT rule that will permit the external ip to access the internal computers.
Thanks
03-08-2012 11:56 AM
Hello,
Some things which we'll need to know:
- What IOS version is the ASA running? (If you don't know, you can do a 'show version' command)
- What specific ports does the scan need? Or do you want to open all ports to the scan?
If you have another available public IP address, you can open up all ports to the scan. If your only available public IP address is the one the ASA is using, we will need to know what ports will be in use by the scan.
Thanks!
Joey
03-08-2012 12:04 PM
Hello,
I followed the instructions running show version. The current Cisco Adaptive Security Appliance Software Version is 7.2(3). The scanner will need to hit every port on the computer(s) behind the firewall. For example purposes, the scanner is coming from a.b.c.d network going thru the external firewall address 192.168.1.0 (external interface or VLAN2) and then hiting 10.2.1.0/24 (internal interface VLAN1) computers.
03-08-2012 12:11 PM
Here's what you'll need:
ASA# conf t
ASA(config)# static (
Note that 192.168.1.x is the external IP that the scanner will connect to. This will translate to the real computer address of 10.2.1.x. 192.168.1.x shouldn't be the IP you are using for internet access for the inside.
Don't forget the access-list!
ASA# conf t
ASA(config)# access-list outside_access_in permit ip host
ASA(config)# access-group outside_access_in in interface
Here's a Cisco doc if you need more explanation:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#s11
Hope this helps!
Joey
03-08-2012 12:25 PM
Joseph.
Not to get confuse, but in your command static (vlan1,vlan2) 192.168.1.x 10.2.1.x netmask 255.255.255.255, it shows 192.168.1.x as the vlan1 interface. Am I reading this command correctly? In my previous note, It was mentioned that interface 1 or vlan1 is 10.2.1.x and interface 2 or vlan2 is 192.168.1.x.
Thanks
03-08-2012 12:30 PM
Hello,
Actually, that's how the sytax is set up. Here's an excerpt from the Cisco doc which might make more sense:
static (real_interface,mapped_interface) mapped_ip real_ip netmask mask
Here, 'real' refers to your internal vlan 1. 'mapped' refers to your external vlan 2.
Sorry if it's confusing, I know it doesn't make much intuitive sense.
Thanks!
Joey
03-08-2012 12:42 PM
Great! Thanks so much!
Does the same rule will work if we need allow an external address to access a file server behind the firewall?
Thanks
03-08-2012 12:49 PM
Yep.
Just remember the above syntax for a one-to one mapping. Also remember you'll probably need an ACL entry for any new connections going through.
Just FYI, If you want to be more specific in your translation, you can specify ports as well:
static (real_interface,mapped_interface) [tcp/udp] mapped_ip [mapped_port] real_ip [real_port] netmask mask
This might be more helpful for your file server. For instance, you could only translate FTP traffic instead of all ports. This is better practice security-wise and can also help save external IPs from being used up.
Thanks!
Joey
03-08-2012 01:04 PM
Just for checking purposes, I ran the command sh nat and I firewall return this back to me. What do you think?
ciscoasa# sh nat
NAT policies on Interface inside:
match ip inside host 10.2.1.1 outside any
static translation to 192.168.1.2
translate_hits = 0, untranslate_hits = 87
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
dynamic translation to pool 1 (192.168.1.2 [Interface PAT])
translate_hits = 43740, untranslate_hits = 121
match ip inside any _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
ciscoasa#
03-08-2012 02:12 PM
Hello,
As I mentioned before, you should not use the same external IP as your existing PAT to avoid conflicts. Can you use a different external IP address? I would suggest removing the static for now to avoid any issues.
Sent from Cisco Technical Support iPhone App
03-09-2012 11:38 AM
Hello,
I understand that a secondary ip address needs to be used. How do you propose to get this configure? Can I assigned a second ip address to the same interface or to the second interface available in the firewall?
My ISP only provided my with two ip addresses.
Thanks
03-09-2012 11:57 AM
Hello,
I'm a little confused because you said your ISP is only giving you two IP addresses, but you are using a private 192.168.1.x range externally.
The static can use any other IP in the same range (like 192.168.1.3, 192.168.1.4, etc..). It just shouldn't be the one you are already using (192.168.1.2) for your interface PAT.
Hope this makes sense. I apologize if I'm not understanding.
Thanks
Joey
03-09-2012 12:10 PM
Hi,
The address given for the external interface will only route in our institution. The ISP has the public ip address. They translate from public to private ip space for us. Therefore, the address 192.168.1.x is the outside firewall interface. Now, you are suggesting that I could use 192.168.1.3 to point any external traffic into the network behind the firewall. My previous question is, then, where does one configure this ip. It has to be configure on some external interface otherwise it will not broadcast.
Thanks
03-09-2012 01:00 PM
Hello,
The ASA will broadcast the IP used in the static. There is no need to map it to an interface. So to answer your question, you configure it in the static command we discussed previously.
I'm not sure how this will work with your ISP setup as they are the ones who are doing the translations for your network. You may need to let them know that you have a new 192.168.1.x address which needs to be translated.
Hope this helps!
Joey
03-13-2012 08:44 AM
Hi Joseph,
I got some new ip addresses. Below, I have included the complete configuration. The outside traffic is not able to see the computer behind the firewall. I have tried the suggestion you have mentioned before, without any luck. Can you take another pick please?
ASA Version 7.2(3)
!
hostname cisco-asa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 152.18.75.132 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network dts-servers
network-object host 152.31.53.251
network-object host 152.31.53.195
object-group network frs_servers
network-object 152.111.5.22 255.255.255.255
access-list extended extended permit ip any any
access-list extended extended permit icmp any any
access-list extended extended permit ip any object-group dts-servers
access-list acl_out extended permit tcp any object-group frs_servers eq https
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit 10.2.1.0 255.255.255.0 inside
icmp permit any echo-reply outside
icmp permit 152.31.53.0 255.255.255.0 outside
icmp permit 152.31.185.0 255.255.255.0 outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http 10.2.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.2.1.2 255.255.255.255 inside
ssh 152.31.53.0 255.255.255.0 outside
ssh 152.18.1.128 152.18.75.132 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.2.1.2-10.2.1.254 inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: