Ok I am pretty new to CISCO configuration. We recently bought an ASA so that we can secure an IIS server behind it. The IIS Server will be doing http and https. I guess I want to do a static nat to nat the outside fixed IP of the website to an internal address. (I think in CISCO terms it's called a PAT) I am just looking for someone to tell me if I configured it correctly? I think I am very close. The thing I think is wrong is for somereason the global (exernal) and nat (internal) for some reason are labeled 101? Should that be changed to something different? Any help you would provide would be sorely appreciated from a newbie like me. I think I am close, but only a trained eye could tell me how close.
Thanks in advance!
ASA Version 8.2(5) ! hostname ciscoasa
! interface Ethernet0/0 nameif External security-level 0 ip address (External WEBSITE FIXEDIP) 255.255.255.0 ! interface Ethernet0/1 nameif Internal security-level 100 ip address (INTERNAL INTERFACE IP) 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! ftp mode passive access-list External_access_in extended permit tcp any host (EXTERNAL FIXED IP) eq www access-list External_access_in extended permit tcp any host (EXTERNAL FIXED IP) eq https pager lines 24 logging asdm informational mtu management 1500 mtu External 1500 mtu Internal 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (External) 101 interface nat (Internal) 101 0.0.0.0 0.0.0.0 static (Internal,External) tcp interface www (INTERNAL IIS SERVER IP) www netmask 255.255.255.255 static (Internal,External) tcp interface (INTERNAL IIS SERVER IP) https netmask 255.255.255.255 access-group External_access_in in interface External route External 0.0.0.0 0.0.0.0 (EXTERNAL GATWAY IP OF ISP) 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context
The "global" and "nat" configuration simply match the source addresses/subnets for the Dynamic NAT or PAT. The ID number used there doesnt really matter in your case.
The type of NAT you ha ve done for the server is called Static PAT
The configuration is otherwise fine but your missing the "https" after the "interface" parameter.
Are you saying that connections from the External network aren't working?
Naturally with HTTPS the problem might be that the ASA uses that port for ASDM GUI management connections. If you want to change the default port of ASDM Management connections you can use the command
http server enable
This should leave the port TCP/443 usable for other purposes on your "External" interface. Though I have to say that I am not sure is there any overlap at the moment. You have not enabled any ASDM management on the "External" interface.
You can also use the "packet-tracer" command to simulate a packet incoming from the External network towards your public IP address on certain port. This will usually tell you if the configurations on the ASA are OK and if the traffic/connections is allowed.
I haven't rolled it out as of yet, I am just trying to see if I got it configured correctly? I am hoping to roll it out and not have to fiddle with it.(as that I really don't have the expertise.)
where do I need the "https" after the "interface" ?
I really don't want any management enabled on my external interface. (only internal and management port mgt access.) Thus I didn't enable on the external port? Will this conflict with my planned configuration?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :