07-10-2013 11:08 AM - edited 03-11-2019 07:10 PM
Hi All,
I am using cisco asa in my environment and which is connected to l2. One server and one router is also connected to L2. Now i want to access port 80 on my server from outside.
How its possible if the server gateway is routers ip and i don't want to add static route in router or server towards the firewall. Nat and access List is done on firewall. what else i can do on firewall to access port 80 of my server from outside. Dont want to change anything on router/server.
Below is the IP detail
1. Firewall inside 192.168.1.1 & Outside 1.1.1.1
2. Router IP - 192.168.1.2
3. Server IP - 192.168.1.3 & GW - 192.168.1.2
07-10-2013 11:20 AM
Hi,
According to your explanation the packets would arrive on the ASA and reach the server but the server would forward them through the router which would then probably forward them through another Internet connection or what is the default gateway of the router?
If its something else than the ASA then the connections will fail.
- Jouni
07-10-2013 11:38 AM
Hi Jouni,
Thanks for Reply
Yes the default gateway is something else than the ASA and the connection getting failed. But is there any configuration which we can done on firewall to make it work. I hear from someone that we can done some mapping on firewall with that server and it should work even if the default gateway of server is different. and if the GW of router is not asa.
07-10-2013 11:40 AM
Hi,
What is the software level of your firewall?
- Jouni
07-10-2013 11:46 AM
Hi,
Its Pix Firewall 7.2
07-10-2013 11:55 AM
Hi,
Well the only ways I could think that the connections could be gotten working would be
You havent mentioned what type of NAT you are doing on the ASA for the server Static PAT or Static NAT. Static PAT would be forwarding a single (or several ports) only while Static NAT would be dedicating a single public IP address for the server.
I would imagine that you would have to configure 2 separate NAT statements
Dynamic Policy PAT for the External hosts
access-list POLICY-NAT-WEBSERVER remark NAT inbound web traffic to an internal IP address
access-list POLICY-NAT-WEBSERVER permit tcp any host 1.1.1.1 eq 80
nat (outside) 100 access-list POLICY-NAT-WEBSERVER
global (inside) 100 interface
Static NAT or Static PAT for Web server
static (inside,outside) 1.1.1.1 192.168.1.3 netmask 255.255.255.255
or
static (inside,outside) tcp 1.1.1.1 80 192.168.1.3 80 netmask 255.255.255.255
If you are using the public IP address on the ASA "outside" interface then replace the 1.1.1.1 with "interface". The IP address 1.1.1.1 stands for a public IP address that you might use.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
07-10-2013 12:16 PM
Hi,
Have done the following configuration only.
static (inside,outside) tcp 1.1.1.1 80 192.168.1.3 80 netmask 255.255.255.255
access-list server permit tcp any host 192.168.1.3 eq 80
Now according to you need to add Dynamic policy as well for external hosts.
Will try and reply you.
Thanks
07-10-2013 12:20 PM
Hi,
Yes, the Static PAT (Port Forward) that you have configured will forward the traffic to your Web server but the return traffic will still be forwarded to the router by the web server and the connections will fail.
However, if we configure the Dynamic Policy PAT which NATs any users on the Internet to your firewalls "inside" interface local IP address then the Web server will send the return traffic there since host communicating in the same subnet will always send the traffic directly to eachother.
- Jouni
07-11-2013 06:32 AM
Hi Jouni,
Have tried but no luck. Below is my configuration.
interface GigabitEthernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
object network WEBSERVER
host 192.168.1.3
access-list WEBSERVER extended permit tcp any host 192.168.1.3 eq www
access-list WEBSERVER extended permit tcp any host 1.1.1.1 eq www
object network WEBSERVER
nat (inside,outside) static interface service tcp www www
access-group WEBSERVER in interface outside
nat (outside) 100 access-list WEBSERVER
global (inside) 100 interface
07-11-2013 06:52 AM
Have tried this on ASA version 8.4
07-11-2013 09:20 AM
Hi,
You said you had PIX 7.2?
The NAT configuration format I provided only works up to software level 8.2
At 8.3 and after the configuration format is totally different.
Which one are you using?
- Jouni
07-11-2013 11:17 AM
Hi,
Today i have tried on ASA with software version 8.4.
07-11-2013 11:40 AM
Hi,
In the new format you might be able to do both of the NAT configurations with a single "nat" command
object network WEBSERVER
host 192.168.1.3
object service WWW
service tcp source eq www
nat (inside,outside) source static WEBSERVER interface destination static interface any service WWW WWW
This should both do Static PAT for your Webserver and translate any source address on the Internet to the "inside" interface IP address WHEN they access your Web server through TCP/80
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
- Jouni
07-12-2013 11:33 PM
Hi Jouni,
Thanks Alot for help. Its working fine now.
Can you please share me the commands for Version 7.2 also.
07-13-2013 07:19 AM
Hi,
I provided that configuration in the earlier replies. The ones done with "static" , "nat" and "global" configurations.
I have not tested the setup myself but it would seem like the only way to do it that I can think of at the moment.
Please do remember to mark a reply as the correct answer if it has answered your question.
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: