Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA 5510: Allow Internet access to a public address assigned to a server on a private DMZ without using NAT

I have a Cisco ASA 5510 running 9.0(2).  There is a DMZ network segment off of the firewall that uses the IP range of 10.1.1.x/24.  The IP address of this DMZ firewall interface is 10.1.1.1.

Let's say the ISP gave me an Internet public address of 199.98.97.96/24. I want to allow external users to use this address to get to an IIS server on  my DMZ.  Typically, I would just create a NAT rule mapping 199.98.97.96 to a private address for that server (say 10.1.1.5).  However, apparently this application that I'm trying to use will not permit NAT translations.  So I need to use a public address and pass it through the firewall. 

I would like to take the 199.98.97.96 address and assign it to this IIS server on the DMZ.  Keep in mind, I don't want to change the address range of my DMZ which is 10.1.1.x/24.

On the DMZ, I have a Windows 2012 server where I set the IP Address of the NIC to the following:

IP Address: 199.98.97.96

Mask: 255.255.255.0

Gateway: 10.1.1.1

On the firewall, I configured a NAT rule that allows traffic on interface 'Any' to interface 'DMZ'.  The source IP address is 'Any' while the destination IP address is '199.98.97.96'.   I do a (NO NAT) and leave the 'service' and 'all addresses' as 'original'.  This rule is at the top of the address translations.  The goal is to make sure the 199.98.97.96 address does not change in or out of the firewall.

I add an access rule to allow port 80 from anywhere to 199.98.97.96.  This did not work.  I cannot browse to my server!

Does anyone know how to use a public IP address, assign it to a server BEHIND the firewall on a private addressed network segment and get it to allow external users to get access to the server.

Thanks.

Everyone's tags (3)
8 REPLIES
Super Bronze

Cisco ASA 5510: Allow Internet access to a public address assign

Hi,

Well genereally when you absolutely have to be able to host a service without doing NAT you usually request a small public subnet from the ISP and use it behind your firewall directly (or somewhere else on the LAN/DMZ network). I havent really run any these kind of situation or it has been very rare as I cant remember any specific situation where this would have been the case.

You cant really have a single public IP address configured inside your network wihtout it having a gateway from its own network.

- Jouni

New Member

Cisco ASA 5510: Allow Internet access to a public address assign

Jouni,

Thanks for the quick reply.  The reason I'm doing this is for Lync 2013.  I'm using a hardware load balancer.  The Lync 2013 documenation states:

Following are the hardware load balancer requirements for Edge Servers running the A/V Edge service:

  • Turn off TCP nagling for both internal and external ports 443. Nagling is the process of combining several small packets into a single, larger packet for more efficient transmission.
  • Turn off TCP nagling for external port range 50,000 – 59,999.
  • Do not use NAT on the internal or external firewall.
  • The edge internal interface must be on a different network than the Edge Server external interface and routing between them must be disabled.
  • The external interface of the Edge Server running the A/V Edge Service must use publically routable IP addresses and no NAT or port translation on any of the edge external IP addresses.

I'm fairly confident that I did this in the past but using Checkpoint firewalls on Sun Unix systems. 

The Edge server actually has 4 separate NICs.  3 of them connect to the DMZ while the other connects to another network segment that goes into another firewall and into the internal LAN.

I am able to put a route statement on the Windows Server like this:

route add 0.0.0.0 mask 0.0.0.0 10.1.1.1 IF 2

This sends default packets to 10.1.1.1 which is located  on Interface 2 which is one of the interfaces connected to the Cisco ASA.  Before I added this line, I had a general transit failure.  After adding it, the packets were sent to the firewall.

I think something is missing on my firewall.

Or maybe I'm just misunderstanding the Microsoft requirement.

Super Bronze

Cisco ASA 5510: Allow Internet access to a public address assign

Hi,

In a typical network setup a interface with an IP address with mask /32 doesnt make much sense. I guess the most typical situation when its used on Cisco routers for ID purposes in routing, source address for certain connections outbound from the router or just for testing or monitoring purposes.

So the only way I can imagine at the moment this could be done is to have the 10.1.1.0/24 network between the server and the ASA and the Server had such virtual/logical interface with the single public IP address that it would be able to utilize.

But if I understand you correctly the public IP address that we are talking about is the only public IP address you have. Therefore we would run into situation where I am faily certain that the ASA couldnt handle this situation. I mean the ASA has to have a public IP address on its WAN interface also (which would be the IP address you have) so I am not sure how it would/could forward traffic towards the public IP address anywhere else than itself since it has it on its own interface.

Also considering using the ASA in Transparent mode to my understanding would mean that you would have to have a single public IP address on the ASA BVI interface from the network segment between which the ASA is placed also so that the ASA would be able to forward traffic through.

So I am not sure how this could be achieved with the ASA.

- Jouni

New Member

Cisco ASA 5510: Allow Internet access to a public address assign

I have been provided several public blocks of IP addresses in different ranges for my Internet connection.  My outside firewall interface has an IP address in one of these blocks.  But the other blocks that I use with this same firewall on the same interface do not have any addresses on the outside firewall interface however they work.  I'm thinking I need to do something with proxy arp.   

In the big picture, I need to do this setup for 9 interfaces for Lync 2013.  Three (3) on an HLB, three (3) on one front-end server, and three (3) on another front-end server.  I think its because of video restrictions and my HLB.  Each front-end server and the HLB have an additional interface that connects to another internal subnet which goes to another firewall (techincally back into the first firewall).  Unfortunately, this is the way Microsoft recommends doing it.  And the only reason I'm trying to do this is because Microsoft says I can't NAT the public addresses to private addresses for these servers when using an HLB.  So either I put the units directly on the Internet, which is a security risk, or I pass the public addresses through the firewall.

Physically, the HLB and two front-end servers sit on the DMZ behind the firewall which again is in the 10.1.1.0/24 network.  If Microsoft didn't have this restriction, I would just add a 10.1.1.x address to each interface, and NAT a pulblic address to the private address. 

So I think the problem is that the public IP address I assigned to all of the interfaces on the HLB and two web-front-ends are not in the 10.1.1.0/24 range like you stated and the DMZ interface needs to use layer 2 and not layer 3 to handle these public addresses when they are internal.

So I tried to fake the whole thing out but again....without success.

I took one of the addresses in the same range (199.198.197.199) and tried to create a proxy arp on the firewall, on the DMZ interface with that IP address and assigned it the MAC address of the DMZ interface and checked the 'Proxy Arp' check box.

I also changed my default route from the DMZ servers to route the packet to this fake address so 0.0.0.0 0.0.0.0 now points to 199.198.197.199. 

I created a NAT rule for a specific address (199.98.97.96) on one of the web-front end servers and tried multiple combinations of turning on and off the Proxy Arp Egress, creating a rule in unidirection and a rule out unidirectional as well as a rule both in and out. 

Still no luck.

Even if I went to my ISP and asked them for 9 usable public addresses and assigned them to a new sub interface inside my firewall, I would think that I would still run into the same or similar issue.

I'm going to keep plugging away to see if I can get it to work...and if I can, I'll let you know.  But I do appreciate your input.  If I finally exhaust my options, I'll have to submit a request to my ISP for these 9 addresses and make the changes as you had suggested in the first post.  I was just trying to avoid that.

Thanks again.

Todd.

New Member

Cisco ASA 5510: Allow Internet access to a public address assign

IP Address: 199.98.97.96

Mask: 255.255.255.0

Gateway: 10.1.1.1

above are the settings are on the server behind dmz which needs to be accessed from internet without any NAT statement. Ideally, its a bad design, but I once achieved it. You just need to add a static route on ASA as follows:

route dmz 199.98.97.96 255.255.255.255 199.98.97.96

then make sure you are able to ping to and from the ASA. Assuming that the access rules allows, the outside users should be able to access the dmz server on its public ip address without use of a NAT.

Let me know if it helps

-

AJ

New Member

Hi Tsmith, Did the below

Hi Tsmith, Did the below workaround solve this issue? 

 

We are havnig the same problem. Thanks. 

New Member

No....it didn't.  I'm not

No....it didn't.  I'm not sure if this is the best way to do it but:

 

- I requested a separate block of Public IP addresses from my ISP just for Lync.

- I created a separate virtual subnet off of my firewall using the new Lync public address range.

- I used the first public address as the IP address of the vnic on the firewall.

- I created a Nat rule for the public addresses where the Destination addresses stayed "original" for the rest of the IP addresses provided.

- I created a Security Rule to allow incoming traffic.

 

This worked for me.

 

Thanks,

Todd

New Member

I appreciate your response.

I appreciate your response. That seems ;like the only way it could be done. Thanks. 

3497
Views
0
Helpful
8
Replies