Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

firewall configuration

Experts, i have some configs for an asa based on requirements stated. please help to point out if anything wrong in these.

Currently:-

7.7.7.7 - ASA outside interface Public ip

172.16.1.0 /24 ( currently on local interface) & 192.168.100.2 till 192.168.100.8( extra Private ip )

6.6.6.6 till 6.6.6.10 - extra public ip from isp

Interfaces: private-lan , internet-outside , dmz-dmz1

nat (private) 1 0.0.0.0 0.0.0.0

global (internet) 1 interface

nat-control is disabled

asa version 8.0

below are the configs in my opinion for needs, please give expert inputs & correct, suggest where needed.

1. Users connecting to internet, externally hosted partner trade site, internet based sql resource

    all three need to be connected by users using one public ip 6.6.6.6 but with different source

    starting from 192.168.100.2 till 192.168.100.4

    can i use extra ip's being given by isp since they arent assigned to interface , however routable by isp?

  nat (private) 2 access-list XTRA

  global (internet) 2 6.6.6.6

  access-list XTRA extended permit line 1 tcp 192.168.100.2 255.255.255.255 any eq web

  access-list XTRA extended permit line 2 tcp 192.168.100.3 255.255.255.255 any eq 8080

  access-list XTRA extended permit line 2 tcp 192.168.100.4 255.255.255.255 any eq sqlnet

is this the best way for this to work as other nat is done by interface ip or is there another way to do it better?

2. Inbound from Internet for a webserver hosted on inside at 192.168.100.5 and public ip 6.6.6.7 on ssl

   static(private, internet) tcp 6.6.6.7 192.168.100.5 https or

   static (private, internet) 6.6.6.7 192.168.100.5 netmask 255.255.255.255 or

   static (private, internet) 6.6.6.7 access-list XTRA1

   access-list XTRA1 extended permit tcp any host 6.6.6.7 eq https

  which one of these static statements is wrong & which one matches it best.

  if for a similar requirement but with more than few ports involved like 4 ports for the static , can it be combined in

  one statement to accomodate all 4 ports for that particular lan based server rather than different statements?

3. Similar to point 2 , i have another 2 servers inside at 192.168.100.6 & 192.168.100.7 with public ip 6.6.6.8 - 6.6.6.9

   do i need to put seperate static as above for each of them or any way to bundle them together in one static?

4. another need says that traffic between private ip 192.168.100.8 natted to public ip 6.6.6.10 be configured

    to be used both ways, i.e users from internet should be able to access 192.168.100.8 and local users when going out

    should use 6.6.6.10 as public ip. Is there any way to configure this in a simplified way.

do i need to include any no-nat statements for above?

TIA

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: firewall configuration

(1)

nat (private) 2 access-list XTRA

  global (internet) 2 6.6.6.6

  access-list XTRA extended permit line 1 tcp 192.168.100.2 255.255.255.255 any eq web

  access-list XTRA extended permit line 2 tcp 192.168.100.3 255.255.255.255 any eq 8080

  access-list XTRA extended permit line 2 tcp 192.168.100.4 255.255.255.255 any eq sqlnet

is this the best way for this to work as other nat is done by interface ip or is there another way to do it better?

You may also need upd 53 for dns if the dns servers are on the outside.

access-list XTRA extended permit line 3 udp 192.168.100.4 255.255.255.255 any eq dns


Only .2 will try to reach port 80? .3 will only reach out on port 8080? and .4 willl only try to connect out to outside sqlnet hosts?

If I were you I would do the following:

nat (private) 2 192.168.100.0 255.255.255.0

global(internet) 2 6.6.6.6

Then restrict who can get out by applying an ACL on the private interface.


access-list XTRA extended permit line 1 ip 192.168.100.2 255.255.255.255 any

access-list XTRA extended permit line 2 ip 192.168.100.3 255.255.255.255 any

access-list XTRA extended permit line 3 ip 192.168.100.4 255.255.255.255 any

access-g XTRA in int private

(2)

   static(private, internet) tcp 6.6.6.7 192.168.100.5 https or

   static (private, internet) 6.6.6.7 192.168.100.5 netmask 255.255.255.255 or

   static (private, internet) 6.6.6.7 access-list XTRA1

   access-list XTRA1 extended permit tcp any host 6.6.6.7 eq https

  which one of these static statements is wrong & which one matches it best.

  if for a similar requirement but with more than few ports involved like 4 ports for the static , can it be combined in

  one statement to accomodate all 4 ports for that particular lan based server rather than different statements?

This should look like

static(private, internet) tcp 6.6.6.7 443 192.168.100.5 443

access-list XTRA1 extended permit tcp any host 6.6.6.7 eq https

access-g XTRA1 in int internet

(3)

similar to point 2 , i have another 2 servers inside at 192.168.100.6 & 192.168.100.7 with public ip 6.6.6.8 - 6.6.6.9

   do i need to put seperate static as above for each of them or any way to bundle them together in one static?

No you need separate static

static (private,internet) 6.6.6.8 192.168.100.6

static (private,internet) 6.6.6.9 192.168.100.7

(4)

another need says that traffic between private ip 192.168.100.8 natted to public ip 6.6.6.10 be configured

   to be used both ways, i.e users from internet should be able to access 192.168.100.8 and local users when going out

    should use 6.6.6.10 as public ip. Is there any way to configure this in a simplified way.

static (private,internet) 6.6.6.10 192.168.100.8

the above static should take care of this for you.  static 1-1 taken presedence over nat/global

I hope it helps.  Pls. mark the question answered if it answers your questions.

-KS

2 REPLIES
Cisco Employee

Re: firewall configuration

(1)

nat (private) 2 access-list XTRA

  global (internet) 2 6.6.6.6

  access-list XTRA extended permit line 1 tcp 192.168.100.2 255.255.255.255 any eq web

  access-list XTRA extended permit line 2 tcp 192.168.100.3 255.255.255.255 any eq 8080

  access-list XTRA extended permit line 2 tcp 192.168.100.4 255.255.255.255 any eq sqlnet

is this the best way for this to work as other nat is done by interface ip or is there another way to do it better?

You may also need upd 53 for dns if the dns servers are on the outside.

access-list XTRA extended permit line 3 udp 192.168.100.4 255.255.255.255 any eq dns


Only .2 will try to reach port 80? .3 will only reach out on port 8080? and .4 willl only try to connect out to outside sqlnet hosts?

If I were you I would do the following:

nat (private) 2 192.168.100.0 255.255.255.0

global(internet) 2 6.6.6.6

Then restrict who can get out by applying an ACL on the private interface.


access-list XTRA extended permit line 1 ip 192.168.100.2 255.255.255.255 any

access-list XTRA extended permit line 2 ip 192.168.100.3 255.255.255.255 any

access-list XTRA extended permit line 3 ip 192.168.100.4 255.255.255.255 any

access-g XTRA in int private

(2)

   static(private, internet) tcp 6.6.6.7 192.168.100.5 https or

   static (private, internet) 6.6.6.7 192.168.100.5 netmask 255.255.255.255 or

   static (private, internet) 6.6.6.7 access-list XTRA1

   access-list XTRA1 extended permit tcp any host 6.6.6.7 eq https

  which one of these static statements is wrong & which one matches it best.

  if for a similar requirement but with more than few ports involved like 4 ports for the static , can it be combined in

  one statement to accomodate all 4 ports for that particular lan based server rather than different statements?

This should look like

static(private, internet) tcp 6.6.6.7 443 192.168.100.5 443

access-list XTRA1 extended permit tcp any host 6.6.6.7 eq https

access-g XTRA1 in int internet

(3)

similar to point 2 , i have another 2 servers inside at 192.168.100.6 & 192.168.100.7 with public ip 6.6.6.8 - 6.6.6.9

   do i need to put seperate static as above for each of them or any way to bundle them together in one static?

No you need separate static

static (private,internet) 6.6.6.8 192.168.100.6

static (private,internet) 6.6.6.9 192.168.100.7

(4)

another need says that traffic between private ip 192.168.100.8 natted to public ip 6.6.6.10 be configured

   to be used both ways, i.e users from internet should be able to access 192.168.100.8 and local users when going out

    should use 6.6.6.10 as public ip. Is there any way to configure this in a simplified way.

static (private,internet) 6.6.6.10 192.168.100.8

the above static should take care of this for you.  static 1-1 taken presedence over nat/global

I hope it helps.  Pls. mark the question answered if it answers your questions.

-KS

New Member

Re: firewall configuration

Thanks.

i will resort to your suggested method.

Really appreciate all assistance extended!

Message was edited by: suthomas1

Message was edited by: suthomas1

193
Views
0
Helpful
2
Replies
CreatePlease to create content