Hi Jouni,

Thanks for Reply

Yes the default gateway is something else than the ASA and the connection getting failed. But is there any configuration which we can done on firewall to make it work. I hear from someone that we can done some mapping on firewall with that server and it should work even if the default gateway of server is different. and if the GW of router is not asa.

Hi,

What is the software level of your firewall?

- Jouni

Hi,

Its Pix Firewall 7.2

Hi,

Well the only ways I could think that the connections could be gotten working would be

• Policy Based Routing on the Router that would forward the web servers traffic through the firewall instead of the routers default gateway (even just the return traffic for web connections)
• Configuring NAT on the ASA firewall so that all traffic from the Internet would be NATed to an internal IP address from the network 192.168.1.0/24. This would mean that the server would be sending the traffic to ASA instead of using its default gateway. And this is ofcourse because the server would be seeing all connections coming from its connected network and wouldnt have to use the default gateway.

You havent mentioned what type of NAT you are doing on the ASA for the server Static PAT or Static NAT. Static PAT would be forwarding a single (or several ports) only while Static NAT would be dedicating a single public IP address for the server.

I would imagine that you would have to configure 2 separate NAT statements

Dynamic Policy PAT for the External hosts

• This should NAT all traffic coming from the Internet to the IP address of your ASAs "inside" interface WHEN the destination is the public IP address of your Web server.
  

access-list POLICY-NAT-WEBSERVER remark NAT inbound web traffic to an internal IP address

access-list POLICY-NAT-WEBSERVER permit tcp any host 1.1.1.1 eq 80

nat (outside) 100 access-list POLICY-NAT-WEBSERVER

global (inside) 100 interface

Static NAT or Static PAT for Web server

• Either of these NAT configurations should forward the connections to your Web servers public IP address on port TCP/80 to the Web server.
• Together with the above NAT configuration the return traffic from the Web server should flow back through the ASA.

static (inside,outside) 1.1.1.1 192.168.1.3 netmask 255.255.255.255

or

static (inside,outside) tcp 1.1.1.1 80 192.168.1.3 80 netmask 255.255.255.255

If you are using the public IP address on the ASA "outside" interface then replace the 1.1.1.1 with "interface". The IP address 1.1.1.1 stands for a public IP address that you might use.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Hi,

Have done the following configuration only.

static (inside,outside) tcp 1.1.1.1 80 192.168.1.3 80 netmask 255.255.255.255

access-list server permit tcp any host 192.168.1.3 eq 80

Now according to you need to add Dynamic policy as well for external hosts.

Will try and reply you.

Thanks

Hi,

Yes, the Static PAT (Port Forward) that you have configured will forward the traffic to your Web server but the return traffic will still be forwarded to the router by the web server and the connections will fail.

However, if we configure the Dynamic Policy PAT which NATs any users on the Internet to your firewalls "inside" interface local IP address then the Web server will send the return traffic there since host communicating in the same subnet will always send the traffic directly to eachother.

- Jouni

Hi Jouni,

Have tried but no luck. Below is my configuration.

interface GigabitEthernet0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

object network WEBSERVER

host 192.168.1.3

access-list WEBSERVER extended permit tcp any host 192.168.1.3 eq www

access-list WEBSERVER extended permit tcp any host 1.1.1.1 eq www

object network WEBSERVER

nat (inside,outside) static interface service tcp www www

access-group WEBSERVER in interface outside

nat (outside) 100 access-list WEBSERVER

global (inside) 100 interface

Have tried this on ASA version 8.4

Hi,

You said you had PIX 7.2?

The NAT configuration format I provided only works up to software level 8.2

At 8.3 and after the configuration format is totally different.

Which one are you using?

- Jouni

Hi,

Today i have tried on ASA with software version 8.4.

Hi,

In the new format you might be able to do both of the NAT configurations with a single "nat" command

object network WEBSERVER

host 192.168.1.3

object service WWW

service tcp source eq www

nat (inside,outside) source static WEBSERVER interface destination static interface any service WWW WWW

This should both do Static PAT for your Webserver and translate any source address on the Internet to the "inside" interface IP address WHEN they access your Web server through TCP/80

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Hi Jouni,

Thanks Alot for help. Its working fine now.

Can you please share me the commands for Version 7.2 also.

Hi,

I provided that configuration in the earlier replies. The ones done with "static" , "nat" and "global" configurations.

I have not tested the setup myself but it would seem like the only way to do it that I can think of at the moment.

Please do remember to mark a reply as the correct answer if it has answered your question.

- Jouni