07-08-2008 09:31 AM - edited 03-11-2019 06:10 AM
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password xxx
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.17 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.x.x.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
clock timezone mst -6
access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list ping_reply extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnuserspool 192.168.10.101-192.168.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.17.193.0 255.255.255.0
access-group ping_reply in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.17.193.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set firstset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh 172.17.193.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 172.17.193.101-172.17.193.254 inside
dhcpd dns dns1 dns2 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
07-08-2008 09:31 AM
service-policy global_policy global
ntp server 67.212.67.78 source outside
group-policy vpnuserspolicy internal
group-policy vpnuserspolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
address-pools value vpnuserspool
username admin password xxx encrypted privilege 15
username admin attributes
vpn-group-policy vpnuserspolicy
tunnel-group vpnusersgroup type remote-access
tunnel-group vpnusersgroup general-attributes
default-group-policy vpnuserspolicy
tunnel-group vpnusersgroup ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxx
: end
ciscoasa(config)#
07-08-2008 09:33 AM
I have a w2k3 server on the LAN that has 2 web sites running on it. Web1 is bound to 172.17.193.99 and Web2 is bound to 172.17.193.98. The outside interface of the ASA is on the x.x.x.16/28 network. The inside is on 172.17.193.0/24.
I did the following:
static (inside,outside) tcp interface 80 172.17.193.99 80 netmask 255.255.255.255
access-list web1_access permit tcp any host x.x.x.17 eq 80
access-group web1_access in interface outside
I could browse to web1 using http://x.x.x.17 which gets redirected to 172.17.193.99 web server.
How do I go about being able to browse to web2 from the internet using http://x.x.x.18 to point to 172.17.193.98 web server while at the same time retaining the ability to browse to web1?
07-08-2008 12:09 PM
Do u have a single public IP or u have more?
07-08-2008 01:15 PM
We get .17 to .29
.16 network id
.30 broadcast address
255.255.255.240 (/28)
07-08-2008 12:57 PM
you should have two static
one for 172.17.193.99
another for 172.17.193.98
if you have single ip you can use different ports
static (inside,outside) tcp interface 80 172.17.193.99 80 netmask 255.255.255.255
static (inside,outside) tcp interface 81 172.17.193.98 80 netmask 255.255.255.255
P.S. rate a post if it was useful
07-08-2008 01:16 PM
"static (inside,outside) tcp interface 81 172.17.193.98 80 netmask 255.255.255.255 "
Does that mean ppl on the internet have to put in "http://x.x.x.17:81" in their browser to access web2 server?????
07-08-2008 01:21 PM
yes,
or you need yet another public ip.
07-08-2008 01:39 PM
as i've indicated we are allocated public internet address of .17 to .29 by the ISP.
I want .17 to point to the 172.17.193.99 web server and .18 to point to the 172.17.193.98 web server.
07-08-2008 01:42 PM
If it is feasible for you on usage/utilization and resource basis, you also can migrate the web service from server 2 to server 1, then configure host headers to run 2 different web services behind 1 public IP.
Regards
07-08-2008 01:45 PM
"I want .17 to point to the 172.17.193.99 web server and .18 to point to the 172.17.193.98 web server"
Then all you have to do is creating another static statement,
static (inside,outside) tcp x.x.x.18 80 172.17.193.98 80 netmask 255.255.255.255
access-list web1_access permit tcp any host x.x.x.18 eq 80
Regards
07-10-2008 10:44 AM
I did this:
access-list inbound_on_outside extended permit tcp any host x.x.x.17 eq www
access-list inbound_on_outside extended permit tcp any host x.x.x.18 eq www
access-list inbound_on_outside extended permit tcp any host x.x.x.19 eq www
static (inside,outside) tcp interface www 172.17.193.99 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.18 www 172.17.193.98 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.19 www 172.17.193.97 www netmask 255.255.255.255
access-group inbound_on_outside in interface outside
Works fine for 3 test websites.
Curious...any reason why
"static (inside,outside) tcp interface www 172.17.193.99 www netmask 255.255.255.255"
can't be
"static (inside,outside) tcp x.x.x.17 www 172.17.193.99 www netmask 255.255.255.255"
to keep things consistent?
07-10-2008 01:27 PM
This is actually for "securing" the Ip address of interfaces which are crutial for overall routing processes from misuse. It is easy to get confused and create a one to one static for the outside IP address which will halt the the overall operation. You supposed to be careful when you use an "interface" statement rather than the IP address. But I have seen a very few configurations which actually operates without interface command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide