Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
3
Replies

Help with IIS PAT for ASA5510

shostackr
Level 1
Level 1

‎07-22-2013 10:37 AM - edited ‎03-11-2019 07:15 PM

Ok I am pretty new to CISCO configuration. We recently bought an ASA so that we can secure an IIS server behind it. The IIS Server will be doing http and https. I guess I want to do a static nat to nat the outside fixed IP of the website to an internal address. (I think in CISCO terms it's called a PAT) I am just looking for someone to tell me if I configured it correctly? I think I am very close. The thing I think is wrong is for somereason the global (exernal) and nat (internal) for some reason are labeled 101? Should that be changed to something different? Any help you would provide would be sorely appreciated from a newbie like me. I think I am close, but only a trained eye could tell me how close.

Thanks in advance!

ASA Version 8.2(5)
!
hostname ciscoasa

!
interface Ethernet0/0
nameif External
security-level 0
ip address (External WEBSITE FIXEDIP) 255.255.255.0
!
interface Ethernet0/1
nameif Internal
security-level 100
ip address (INTERNAL INTERFACE IP) 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list External_access_in extended permit tcp any host (EXTERNAL FIXED IP) eq www
access-list External_access_in extended permit tcp any host (EXTERNAL FIXED IP) eq https
pager lines 24
logging asdm informational
mtu management 1500
mtu External 1500
mtu Internal 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (External) 101 interface
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,External) tcp interface www (INTERNAL IIS SERVER IP) www netmask 255.255.255.255
static (Internal,External) tcp interface (INTERNAL IIS SERVER IP) https netmask 255.255.255.255
access-group External_access_in in interface External
route External 0.0.0.0 0.0.0.0 (EXTERNAL GATWAY IP OF ISP) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎07-22-2013 11:03 AM

Hi,

The "global" and "nat" configuration simply match the source addresses/subnets for the Dynamic NAT or PAT. The ID number used there doesnt really matter in your case.

The type of NAT you ha ve done for the server is called Static PAT

The configuration is otherwise fine but your missing the "https" after the "interface" parameter.

Are you saying that connections from the External network aren't working?

Naturally with HTTPS the problem might be that the ASA uses that port for ASDM GUI management connections. If you want to change the default port of ASDM Management connections you can use the command

http server enable

This should leave the port TCP/443 usable for other purposes on your "External" interface. Though I have to say that I am not sure is there any overlap at the moment. You have not enabled any ASDM management on the "External" interface.

You can also use the "packet-tracer" command to simulate a packet incoming from the External network towards your public IP address on certain port. This will usually tell you if the configurations on the ASA are OK and if the traffic/connections is allowed.

You could use for example

packet-tracer input External tcp 1.1.1.1 12345 80

packet-tracer input External tcp 1.1.1.1 12345 443

Hope this helps

- Jouni

0 Helpful

shostackr
Level 1
Level 1
In response to Jouni Forss

‎07-22-2013 11:18 AM

I haven't rolled it out as of yet, I am just trying to see if I got it configured correctly? I am hoping to roll it out and not have to fiddle with it.(as that I really don't have the expertise.)

where do I need the "https" after the "interface" ?

I really don't want any management enabled on my external interface. (only internal and management port mgt access.) Thus I didn't enable on the external port? Will this conflict with my planned configuration?

Thanks for your help!

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to shostackr

‎07-22-2013 11:23 AM

Hi,

I only meant that you have a typo in the other Static PAT configurations.

This is the above configuration

static (Internal,External) tcp interface www (INTERNAL IIS SERVER IP) www netmask 255.255.255.255

static (Internal,External) tcp interface (INTERNAL IIS SERVER IP) https netmask 255.255.255.255

The Static PAT for the port TCP/443 is lacking the "https" after the "interface" parameter. But as the ASA would not accept the command in its current form I am sure you would notice it eventually.

static (Internal,External) tcp interface https (INTERNAL IIS SERVER IP) https netmask 255.255.255.255

In general the configuration seems ok to me and should work.

  • Interfaces configured and enabled
  • Default route configured
  • Dynamic PAT and Static PAT configured for Internal users
  • Access-list configured and attached to the External interface

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card