Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3700
Views
0
Helpful
7
Replies

Configuring ASA Public servers

Go to solution
alanmsv1234
Level 1
Level 1

‎06-03-2010 09:19 AM - edited ‎03-11-2019 10:54 AM

I have just bought an ASA 5510 and am trying to configure it, but it is not working the way I expect.

I have several internal servers which need to be accessed from the web. If I create a NAT entry for each, and a corresponding access rule, the servers cannot be accessed. If, however, I add the servers in the 'Public Servers' section, it automatically adds the appropriate NAT and Access rule, and it works. My first question is why is this so? Surly adding the NAT and Access rule should work?

Secondly, although it works by adding the servers via Public folders, it only does so by assigning a different public IP for each internal server. I want to assign different ports from one external IP to different internal servers to conserve IP's, but it will not let me do this: adding a server in Public server assigns an IP to that internal server, even though I specify, for example, only smtp as the service. If I try to add another Public server, say http, to another internal machine, it says the external address overlaps with another in use. This can be done by configuring NAT and Access Rule directly, but this doesn't work. I can only access my servers by doing it via Public Servers. is this by design, or am I doing something wrong??

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to alanmsv1234

‎06-03-2010 10:12 AM

Yes, you're right.

On the ACLs, the outside (public) IP address needs to be defined.

If you define the private IP on the ACL (for incoming traffic) it will not work because the only IP visible to the Internet is the outside IP.

Actually just as a side note, this is a new improvement on version 8.3

Using 8.3 you can define the private real address on the incoming ACL, so that if you need to change the public IP, you don't need to modify the ACL each time.

Federico.

View solution in original post

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to alanmsv1234

‎06-04-2010 08:44 AM

Yes, but before attempting the upgrade to 8.3 you need to consider that the NAT configuration changed completely, the entire configuration is more object-group oriented than before, etc. You need extra memory also.

Please review this information prior going to 8.3

Migration guide to 8.3

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Release notes

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html

Federico.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-03-2010 09:26 AM

Alan,

To see if you're doing something wrong, please post the output of the following lines from the ASA:

sh run static

sh run access-group

sh run access-list

You can change your sensitive information before posting.

Federico.

0 Helpful

Go to solution
alanmsv1234
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-03-2010 09:50 AM

MSV-ASA# sh run static
static (Inside,Outside) tcp xxx.29 pptp Fileserver pptp netmask 255.255.255.255
static (DMZ,Outside) tcp xxx.27 imap4 pop.m.org imap4 netmask 255.255.255.255
static (DMZ,Outside) tcp xxx.27 pop3 pop.m.org pop3 netmask 255.255.255.255
static (DMZ,Outside) tcp xxx.27 smtp CentOs smtp netmask 255.255.255.255
static (Inside,Outside) xxx.28 Commserver netmask 255.255.255.255


MSV-ASA# sh run access-group
access-group Outside_access_in in interface Outside

MSV-ASA# sh run access-list
access-list Outside_access_in extended permit tcp any host CentOs eq smtp
access-list Outside_access_in extended permit tcp any host xxx.29 eq pptp
access-list Outside_access_in extended permit tcp object-group Webroot host xxx.28 eq smtp
access-list Outside_access_in extended permit tcp any host xxx.28 object-group DM_INLINE_TCP_0
access-list Outside_access_in extended permit tcp any host Fileserver eq pptp
access-list Outside_access_in extended permit tcp any host pop.m.org object-group DM_INLINE_TCP_1

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to alanmsv1234

‎06-03-2010 09:58 AM

Thank you,

You can share the same public IP address with multiple internal addresses if doing static PAT and that's what you're doing:

static (in,out) tcp public_IP port internal_IP port

You can have the above line multiple times for the same public_IP and for different internal IPs as long as using different ports.

You say the configuration that you posted here works? Or which line(s) gives you problems?

Federico.

0 Helpful

Go to solution
alanmsv1234
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-03-2010 10:04 AM

That config does not work, but I think I've spotted the flaw:

it works if the destination of the access rule is the external IP of the internal server, but does not work if the destination is specified as the internal server (in this case centos). This seems somewhat counter-intuitive to me, and different from the ISR routers, where you do specify the internal name/ip.

I have done all config via the ASDM, not CLI. I am assuming the Public servers config option is a 'user friendly' way of doing the nat and access list in one go?

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to alanmsv1234

‎06-03-2010 10:12 AM

Yes, you're right.

On the ACLs, the outside (public) IP address needs to be defined.

If you define the private IP on the ACL (for incoming traffic) it will not work because the only IP visible to the Internet is the outside IP.

Actually just as a side note, this is a new improvement on version 8.3

Using 8.3 you can define the private real address on the incoming ACL, so that if you need to change the public IP, you don't need to modify the ACL each time.

Federico.

0 Helpful

Go to solution
alanmsv1234
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-04-2010 01:03 AM

So, if I upgrade from 8.2 to 8.3, I could use the internal names/ip's in my ACLs? As you say, this would be much more flexible, as I do indeed plan to change external IP scheme eventually.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to alanmsv1234

‎06-04-2010 08:44 AM

Yes, but before attempting the upgrade to 8.3 you need to consider that the NAT configuration changed completely, the entire configuration is more object-group oriented than before, etc. You need extra memory also.

Please review this information prior going to 8.3

Migration guide to 8.3

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Release notes

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html

Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card