cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1007
Views
0
Helpful
13
Replies

ASA 5515X Design

zeuscyril
Level 4
Level 4

hi all,

here my Network setup, and i am going to get the ASA 5515x device .

i have 3 different local network and 2 WAN connections.

LAN 1 -- 10.1.1.0/24 --local users

LAN2 -- 10.1.2.0 /24 --  servers

LAN3 -- 10.1.3.0/24--guest internet

WAN1 - ADSL Line with dynamic ip (Internet fot the local Users and Guest)

WAN2 -- Lease Line with Static ip (For Email and web applications)

these are my network details.

1. i want to pass all the internet traffic using ADSL line (Users and guest users)

2.For servers like email and Application the internet traffic has to go with ADSL but the port forwarding for email and web apps through leased line and only email server the internet traffic also need to pass with leased line.

3.i know by default in ASA 5500 series we cannt add 2 default routes.

is there any changes in the 5515X series or otherwise we can achieve this by NAT & Global Commnads.

4. the server and local network should be communicatable i dont have any L3 device so we need allow traffic between different zones.

thanks in advance, waiting for points.

cyril

1 Accepted Solution

Accepted Solutions

Hi,

I guess you reverted the configurations to get it working again?

I would have liked the "packet-tracer" output simulating the connections that werent working at the moment of your last post.

It seems to me though that one problem might have been with the "Edge_email" server. This is because you seem to use the same public IP address for servers behind 2 different interfaces and you had those special Dynamic PAT configurations I suggest in between Static PAT (Port Forward) configurations. There Dynamic PAT configuration might have stopped a couple of the last Static PAT configurations from working.

So would really need to know what the specific problem was the last time so we can avoid causing any further problems for any users.

If I would have to guess on the basis of the attached configuration what the problem was then I would have to guess that it was the following

nat (inside,Server) source static LAN-NW LAN-NW destination static Server_NW Server_NW

nat (dmz,Server) source static DMZ_NW DMZ_NW destination static Server_NW Server_NW

nat (Server,LL) source static Email_Srv Email-Pub service Email_443 Email_443

nat (Server,LL) source static Email_Srv Email-Pub service Email-143 Email-143

nat (Server,LL) source static Email_Srv Email-Pub service Email-465 Email-465

nat (Server,LL) source static Email_Srv Email-Pub service Eamil-993 Eamil-993

nat (Server,LL) source dynamic Email_Srv Email-Pub destination static ALL ALL

nat (dmz,LL) source static Edge_Email Email-Pub service Edge_25 Edge_25

nat (dmz,LL) source static Edge_Email Email-Pub service Edge_80 Edge_80

nat (dmz,LL) source dynamic Edge_Email Email-Pub destination static ALL ALL

The "nat" marked with RED should have been moved at the bottom so it wont interfere with the 2 Static PAT configuration below marked with GREEN.

- Jouni

View solution in original post

13 Replies 13

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The 2.) section is a bit confusing. You first say that EMAIL and APP servers need to use the ASDL connection. Then you mentioned that the incoming connections should be possible for EMAIL and APP servers from the LEASED connection. And finally you mentioned the EMAIL server should use LEASED?

So which way is it? Should EMAIL server use ASDL for outbound connections or LEASED? Or do you perhaps want some outbound connections from EMAIL server to use ADSL and some use LEASED?

Essentially you can let the ASDL interface on the ASA install the active default route for the ASA and you can then (if needed) use NAT configurations on the ASA to force the required traffic out of the LEASED link. The LEASED interface will also require a default route configured staticly but it should be then configured with a worse distance metric.

With the above idea you could essentially have your users and servers use the ASDL line for outbound connections while external users could still connect to the servers through the LEASED connection even though it doesnt hold the active default route.

Now if you wanted some of the EMAIL server traffic to go out of LEASED rather than ASDL connection (perhaps send the mail through the LEASED but all other through ADSL?) then you would have to resort to a NAT configuration to handle the forwarding of that traffic through LEASED while even after that all other traffic from EMAIL server would flow outbound through the ADSL link.

So first we would have to make it clear through which external connection the servers should form their connections. Since it seems you want to use the ASDL line mainly for all connections formed outbound from your LAN/DMZ networks it should be pretty simple to configure.

- Jouni

hi jouni,

sorry for the confusion ,

if i need to route all the traffic through leased line only for email servers,

how i can configure NAT config

example : nat(server) 2 10.1.2.10 255.255.255.255

                   global(LL) 2 XX.XX.XX.XX -- leased line ip

is that correct?

thanks

cyril

Hi,

The "global" and "nat" configurations you mention above dont exist anymore on the newer ASA firewalls and new software levels. The NAT configuration format and operation were totally overhauled in the 8.3 software and the minimum software level for your new ASA5500-X Series unit is 8.6(1)

Here are some basic configurations which I assume you would need. Most of them are very basic but when we are talking about manipulating the WAN interface chosen for some hosts then we need a bit unordinary NAT configurations.

Do take into account that I have not tested these specific configurations in a live network environment or network lab.

interface GigabitEthernet0/0

description ASDL

nameif ASDL

security-level 0

ip address dhcp setroute

interface GigabitEthernet0/1

description LEASED

nameif LEASED

security-level 0

ip address 1.1.1.2 255.255.255.248

route LEASED 0.0.0.0 0.0.0.0 1.1.1.1 254

interface GigabitEthernet0/2

description LOCAL USERS

nameif LAN

security-level 100

ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet0/3

description SERVERS

nameif SERVER

security-level 50

ip address 10.1.2.1 255.255.255.0

interface GigabitEthernet0/4

description GUEST

nameif GUEST

security-level 10

ip address 10.1.3.1 255.255.255.0

object network LAN

subnet 10.1.1.0 255.255.255.0

object network SERVERS

subnet 10.1.2.0 255.255.255.0

object network GUEST

subnet 10.1.3.0 255.255.255.0

object network MAIL-SERVER

host 10.1.2.100

object service SMTP-IN

service tcp source eq 25

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

(Section 1 Manual NAT)

nat (LAN,SERVERS) source static LAN LAN destination static SERVERS SERVERS

nat (SERVERS,LEASED) source static MAIL-SERVER interface service SMTP-IN SMTP-IN

nat (SERVERS,LEASED) source dynamic MAIL-SERVER interface destination static ALL ALL

No Section 2 Auto NAT Used!

Section 3 Manual NAT

nat (LAN,ADSL) after-auto source dynamic LAN interface

nat (SERVERS,ADSL) after-auto source dynamic SERVERS interface

nat (GUEST,ASDL) after-auto souce dynamic GUEST interface

The idea with the above configurations is that we

  • Create interfaces for all the networks (you mentioned you dont have any additional routers in the network), though you could naturally also configure a trunk to some switch you may have to save on actual physical interface.
  • Create "object network" and "object service" that we are going to use in the NAT configurations
  • Create the actual NAT configurations

I would imagine its a bit hard to explain why the above NAT configurations looks like that so I probably best go through them in order from top to bottom (in the process they are processed by the ASA) to try to clear things up. Again I have to note though that this is not a tested configurations.

nat (LAN,SERVERS) source static LAN LAN destination static SERVERS SERVERS

The above configurations is inserted first into the configurations to make sure that local traffic between the LAN and SERVERS network will work and wont be affected by the later coming NAT rules.

nat (SERVERS,LEASED) source static MAIL-SERVER interface service SMTP-IN SMTP-IN

The above configurations is inserted next to basically configure Static PAT (Port Forward) so that the MAIL-SERVER can be contacted through the LEASED connection. Again the ordering of the NAT rule like this is key so that the following rule doesnt interfere with its operation.

nat (SERVERS,LEASED) source dynamic MAIL-SERVER interface destination static ALL ALL

The above configurations is probably the most unusual one. This essentially specifies that the MAIL-SERVER should be Dynamic PATed to the LEASED interface IP address when its destination is ANY destination IP address. This will essentially mean that the traffic from the MAIL-SERVER will be forwarded out through LEASED interface (EXCEPT for the first mentioned traffic between LAN and SERVERS interfaces)

nat (LAN,ADSL) after-auto source dynamic LAN interface

nat (SERVERS,ADSL) after-auto source dynamic SERVERS interface

nat (GUEST,ASDL) after-auto souce dynamic GUEST interface

The above configurations are just normal Dynamic PAT configurations for all the local networks and they use the ADSL interface. There is no default route in the above configurations for the ADSL interface because the interface is configured to get the default route automatically though the DHCP process with the parameter "set route"

Naturally you will have to take into account that the above configurations just enable one server to use the LEASED interface and only forward a single service through the LEASED interface. So judging from your original post you would probably need Static PAT (Port Forward) configurations for other services and servers even. You might also need NAT configurations that forward other servers traffic also through only the LEASED interface.

Hope this made any sense

Please  do remember to mark a reply as the correct answer if it answered your question or rate helpfull answers.

Feel free to ask more if needed though

- Jouni

hi Jouni,

here my config,

my internet and PAT is working only this my email server has to nat all the traffic with the specific ip.

only that is not happening ,

because of that my mail server is not authenticating the email because it is going with ADSL Ip address.

ASA Version 9.1(1)

!

hostname ALAIN-FW

enable password ZYx9xaV1.cM.IUcY encrypted

passwd M5Z8qN9wxh2rt.Wo encrypted

names

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 192.168.45.2 255.255.255.248

!

interface GigabitEthernet0/1

nameif LL

security-level 0

ip address X.X.X.X 255.255.255.252

!

interface GigabitEthernet0/2

nameif inside

security-level 100

ip address 10.10.10.213 255.255.255.0

!

interface GigabitEthernet0/3

nameif Server

security-level 100

ip address 10.25.31.1 255.255.255.224

!

interface GigabitEthernet0/4

nameif dmz

security-level 100

ip address 172.16.0.1 255.255.255.240

!

interface GigabitEthernet0/5

nameif Guest

security-level 10

ip address 192.168.74.129 255.255.255.0

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

object network LAN-NW

subnet 10.10.10.0 255.255.255.0

object network Server_NW

subnet 10.25.31.0 255.255.255.224

object network Guest_NW

subnet 192.168.74.0 255.255.255.0

object network DMZ_NW

subnet 172.16.0.0 255.255.255.240

object network Email_Srv

host 10.25.31.16

object network Edge_Email

host 172.16.0.2

object service Eamil-993

service tcp source eq 993

object service Email-143

service tcp source eq imap4

object service Email-465

service tcp source eq 465

object service Email_443

service tcp source eq https

object service Edge_25

service tcp source eq smtp

object service Edge_80

service tcp source eq www

object network Email-Pub

host 83.111.102.180

object network All

subnet 0.0.0.0 0.0.0.0

object service Email-443

service tcp source eq https

object-group service Email_Service_Srv

service-object object Email-143

service-object object Eamil-993

service-object object Email-465

service-object object Email_443

object-group service Edge_Email_DMZ

service-object object Edge_25

service-object object Edge_80

access-list DMZ-In extended permit ip 172.16.0.0 255.255.255.240 10.25.31.0 255.255.255.224

access-list DMZ-In extended permit ip 172.16.0.0 255.255.255.240 10.10.10.0 255.255.255.0

access-list DMZ-In extended permit ip host 172.16.0.2 any log

access-list LL-Server extended permit tcp any object Email_Srv eq 993

access-list LL-Server extended permit tcp any object Email_Srv eq 465

access-list LL-Server extended permit tcp any object Email_Srv eq https

access-list LL-Server extended permit tcp any object Edge_Email eq smtp log errors

access-list LL-Server extended permit tcp any object Email_Srv eq imap4

access-list LL-Server extended permit tcp any object Edge_Email eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu LL 1500

mtu inside 1500

mtu Server 1500

mtu dmz 1500

mtu Guest 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (Server,LL) source static Email_Srv Email-Pub service Email_443 Email_443

nat (Server,LL) source static Email_Srv Email-Pub service Email-143 Email-143

nat (Server,LL) source static Email_Srv Email-Pub service Email-465 Email-465

nat (Server,LL) source static Email_Srv Email-Pub service Eamil-993 Eamil-993

nat (dmz,LL) source static Edge_Email Email-Pub service Edge_25 Edge_25

nat (dmz,LL) source static Edge_Email Email-Pub service Edge_80 Edge_80

nat (Server,any) source static Email_Srv Email-Pub

nat (dmz,any) source static Edge_Email Email-Pub

!

object network LAN-NW

nat (inside,Outside) dynamic interface dns

object network Guest_NW

nat (Guest,Outside) dynamic interface dns

!

nat (dmz,Outside) after-auto source dynamic DMZ_NW interface

nat (Server,Outside) after-auto source dynamic Server_NW interface dns

access-group LL-Server in interface LL

route Outside 0.0.0.0 0.0.0.0 192.168.45.1 1

route LL 0.0.0.0 0.0.0.0 Y.Y.Y.Y 2

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.10.10.0 255.255.255.0 inside

http 10.25.31.0 255.255.255.224 Server

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet 10.10.10.0 255.255.255.0 inside

telnet 10.25.31.0 255.255.255.224 Server

telnet timeout 5

ssh 213.42.27.74 255.255.255.255 LL

ssh 213.42.27.178 255.255.255.255 LL

ssh 10.10.10.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.74.21-192.168.74.125 Guest

dhcpd dns 213.42.20.20 195.229.241.222 interface Guest

dhcpd lease 14400 interface Guest

dhcpd enable Guest

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password yy2L/qRRUR2kh3.Z encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:61d21cd299674d078a2f81b6aa88855d

: end

ALAIN-FW#

Hi,

It seems that the NAT configurations you have dont really reflect what I originally suggested.

There is no configurations that would force the EMAIL server to use the LL link for external traffic.

If you are going to implement that and also want the INSIDE and SERVER segment talk to eachother with local IP address then you would probably need these configurations

nat (inside,Server) 1 source static LAN-NW LAN-NW destination static Server_NW Server_NW

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

nat (Server,LL) 6 source dynamic Email_Srv Email-Pub destination static ALL ALL

Do notice that with the above configurations

  • INSIDE and SERVER should be able to communicate with eachother with local IP address
  • Any other traffic from EMAIL SERVER would be forced out of the LL interface (even private destination IP addresses)

With the above in mind if you have any need for the EMAIL SERVER to communicate with DMZ hosts/server for example you would need extra NAT configurations.

- Jouni

hi jouni,

here the new config with changes which you provided,

after the change the internet is not working on the email server.

config is attached.

Hi,

Can you simulate a packet coming from that server to the Internet with the "packet-tracer"

packet-tracer input tcp 12345 8.8.8.8 80

This should tell us what the problem might be

Naturally to avoid prolonging the problem I would suggest reverting back to the original NAT configurations after you have taken the "packet-tracer" output.

I just noticed that you are using the same public IP address for 2 different servers on 2 different local interface? This will atleast cause problems for incoming connections but I would be interested to see what exactly is causing problems with outbound connections from the server.

- Jouni

hi jouni,

sorry for the late reply,

we are in holidays so thats why i am not able to provide the detail which you asked me.

i will provide the detail once holidays are over

is there anything else missing on the config?

thanks

cyril

Hi,

I guess you reverted the configurations to get it working again?

I would have liked the "packet-tracer" output simulating the connections that werent working at the moment of your last post.

It seems to me though that one problem might have been with the "Edge_email" server. This is because you seem to use the same public IP address for servers behind 2 different interfaces and you had those special Dynamic PAT configurations I suggest in between Static PAT (Port Forward) configurations. There Dynamic PAT configuration might have stopped a couple of the last Static PAT configurations from working.

So would really need to know what the specific problem was the last time so we can avoid causing any further problems for any users.

If I would have to guess on the basis of the attached configuration what the problem was then I would have to guess that it was the following

nat (inside,Server) source static LAN-NW LAN-NW destination static Server_NW Server_NW

nat (dmz,Server) source static DMZ_NW DMZ_NW destination static Server_NW Server_NW

nat (Server,LL) source static Email_Srv Email-Pub service Email_443 Email_443

nat (Server,LL) source static Email_Srv Email-Pub service Email-143 Email-143

nat (Server,LL) source static Email_Srv Email-Pub service Email-465 Email-465

nat (Server,LL) source static Email_Srv Email-Pub service Eamil-993 Eamil-993

nat (Server,LL) source dynamic Email_Srv Email-Pub destination static ALL ALL

nat (dmz,LL) source static Edge_Email Email-Pub service Edge_25 Edge_25

nat (dmz,LL) source static Edge_Email Email-Pub service Edge_80 Edge_80

nat (dmz,LL) source dynamic Edge_Email Email-Pub destination static ALL ALL

The "nat" marked with RED should have been moved at the bottom so it wont interfere with the 2 Static PAT configuration below marked with GREEN.

- Jouni

hi jouni,

tomorrow i am going to do the following chages and as well the trace which you asked me .

maybe i need your help to solve the issue.

thanks

cyril

Hi,

Its a bit risky when you have to use NAT configurations to make ASA handle traffic differently.

You said that after the last change the mail servers Internet connection stopped working?

Which one of these stopped working?

object network Email_Srv

host 10.25.31.16

object network Edge_Email

host 172.16.0.2

Was this all that stopped working? Were users and other servers able to connect to the Internet while the email server had problems?

Or was the email server problems for incoming connections from the Internet?

- Jouni

hi,

i checked only in the

object network Email_Srv

host 10.25.31.16                         the internet was not working and the rest of the server i didnt check on that time. but

the incoming connections was working on ports

hi ,

after moving the nat it started working

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: