10-11-2010 06:35 AM - edited 03-06-2019 01:26 PM
Hi Everyone
I wouldnt say i'm a pro at cisco but i do grasp networking structures and concepts.
I have a asa 5520 firewall. it is failover'd to another.
out side that i have 2 switches, outside thoes a dsl modem, then the internet.
the asa is passing traffict to a 3750 inside, on which i have a server.
I want the server to be access able from the internet, both ways.
I have a second DSL line.modem, coming into the outside switch.
The asa can ping the server.
do i have to add a second line from the outside switch to the asa to allow traffic through or, can i use the same/current link?
re-phrase: can i add a second route, outside inside on same interface?
if yes: would i be better off with using the spare interface?
10-11-2010 11:43 AM
nicholas.oneill wrote:
Hi Everyone
I wouldnt say i'm a pro at cisco but i do grasp networking structures and concepts.
I have a asa 5520 firewall. it is failover'd to another.
out side that i have 2 switches, outside thoes a dsl modem, then the internet.
the asa is passing traffict to a 3750 inside, on which i have a server.
I want the server to be access able from the internet, both ways.
I have a second DSL line.modem, coming into the outside switch.
The asa can ping the server.
do i have to add a second line from the outside switch to the asa to allow traffic through or, can i use the same/current link?
re-phrase: can i add a second route, outside inside on same interface?
if yes: would i be better off with using the spare interface?
Nicholas
Not entirely sure i follow your topology.
3750 - ASA (x 2 failover) -> switch x 2 ? -> dsl modem (x 2) ????
If that is correct the 2nd dsl modem, is it to the same ISP ? More importantly is it the same addressing assigned by the ISP ?
Can you perhaps draw a topology diagram with the IP addressing to make clear what you are trying to do ?
Jon
10-12-2010 05:28 AM
This is what i'm looking at. I neet to the the server availalbe on the internet through a number of ports. external ip address are different so i'm going to deadicate modem .16 to the server.
The server is on its own vlan so i'd like to publish that vlan.
I have gone agead and physicaly setup the below.
Can you advise the command to enter in the Firewall to publish this server, with port 80. also i have to publish a udp and tcp port. advise would be greatly appriciated.
FYi internet for internal is being routed to/from .17
10-12-2010 05:39 AM
nicholas.oneill wrote:
This is what i'm looking at. I neet to the the server availalbe on the internet through a number of ports. external ip address are different so i'm going to deadicate modem .16 to the server.
The server is on its own vlan so i'd like to publish that vlan.
I have gone agead and physicaly setup the below.
Can you advise the command to enter in the Firewall to publish this server, with port 80. also i have to publish a udp and tcp port. advise would be greatly appriciated.
FYi internet for internal is being routed to/from .17
Okay, so you don't want failover for the server now ?
The commands on the ASA to "publish" the server to the internet would be -
server real IP = 192.168.160.10
server public IP = 177.10.10.1
static (inside,outside) 177.10.10.1 192.168.160.10 netmask 255.255.255.255
the above will publish all ports so if you want to tie it down to specific ports -
static (inside,outside) tcp 177.10.10.1 80 192.168.160.10 80 netmask 255.255.255.255 <-- would publish http service from server
static (inside,outside) udp 177.10.10.1 53 192.168.160.10 53 netmask 255.255.255.255 <-- would publish DNS service from server
obviously then you also need to allow inbound traffic with an access-list on the outside interface of your firewall.
Jon
10-12-2010 08:44 AM
Thanks for the responce Jon, great help.
Server failover is ok, we'll worry about that down the line
jon:"obviously then you also need to allow inbound traffic with an access-list on the outside interface of your firewall."
the route isnt defined yet, cant ping modem.
for the route, would it be: route outside1 0.0.0.0 0.0.0.0 192.168.0.16 2 (as i already have a route 1, is this neecessay have a different distance metric?)
in the config below, rout outside with defaults 0.0.0.0 0.0.0.0 is implemented on .17(internet). Am i correct in thinking that if i run the above route, i'll get issues? from cisco notes:
In ASA software Versions 7.0 and later, if you have two default routes configured on different interfaces that have different metrics, the connection to the ASA firewall that is made from the higher metric interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected.
If this is the case, what would the route command be?
for the access-list to allow all: "access-group publish in interface outside1"
Delow: outside1 is the modem .16 interface. outside is the internet, .17
Firewall# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname Firewall
domain-name default.domain.invalid
enable password H/FviRtGrhZNMBmA encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.0.20 255.255.255.240 standby 192.168.0.21
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.9 255.255.255.248 standby 192.168.0.10
!
interface GigabitEthernet0/2
nameif outside1
security-level 0
ip address 192.168.0.29 255.255.255.224 standby 192.168.0.30
!
interface GigabitEthernet0/3
description LAN Failover Interface
speed 100
duplex full
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu outside1 1500
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 192.168.0.30 netmask 255.255.255.240
nat (inside) 1 192.168.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 192.168.0.17 1
route inside 192.168.0.0 255.255.0.0 192.168.0.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.169.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:dd3a90a25dd7bb4516fe44d4e82bb582
: end
Firewall#
10-12-2010 09:43 AM
Nicholas
My apologies, i was so busy concentrating on the translations i forgot about the fact an ASA can only have one default-route.
So you have 2 solutions really -
1) use contexts on the ASA and then have a 2nd connection from the other switch with modem 16 and put the server traffic into that context
2) are the switches running in L3 mode or L2 ? If L3 and they are running IP services (which is quite a few ifs i know !) you could run Policy Based Routing on the switches. So all traffic continues to go through the one outside interface on the ASA and is then sent down the the correct ISP connection via the switches.
Once again apologies for not realising sooner.
Edit - you don't actually need a second connection and a spare interface on the ASA as you can share an interface between contexts but as everything else is redundant if you have the interface it would make sense to use it.
Jon
10-13-2010 03:22 AM
Ok Jon
sounds like a big job, what if i were to use the current internet outside 17 connection for nat connction to the serer. if you agree, what would the commands for that be, given the config above. need this up by tomorrrow evening!!
If I tunnell the current default line between .17 and outside, can i not add another route, which is not default?
10-13-2010 05:48 AM
nicholas.oneill wrote:
Ok Jon
sounds like a big job, what if i were to use the current internet outside 17 connection for nat connction to the serer. if you agree, what would the commands for that be, given the config above. need this up by tomorrrow evening!!
If I tunnell the current default line between .17 and outside, can i not add another route, which is not default?
If you use the current connections then you need to use an IP address from that ISPs range - do you have spare one ? If so the commands are as provided before. Or have i misunderstood something ?
Jon
10-19-2010 05:39 AM
I've switched over to mode multi
internet is up and running.
Have created a second firewall
assigned interfaces and cal ping dsl modem on outside and server inside.
server has a html page through http that i can connect to internally, so i'm trying to get that accessable from outside
i've created nats on dsl modem to allow traffic through and its responding to pings
the below is not working, what am i missing, i think a global outside is needed?
Firewall/FWA# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname FWA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface GigabitEthernet0/2
description Publishing network
nameif A_outside
security-level 0
ip address 192.168.0.14 255.255.255.224
!
interface A_inside
description publishing inside interface to 160 vlan
nameif A_inside
security-level 100
ip address 192.168.160.5 255.255.255.192
!
passwd 2KFQnbNIdI.2KYOU encrypted
pager lines 24
mtu A_inside 1500
mtu A_outside 1500
no asdm history enable
arp timeout 14400
static (A_inside,A_outside) 192.168.0.15 192.168.160.10 netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00000000000000000000000000000000
: end
Firewall/FWA#
10-20-2010 05:19 AM
Hi lads
Any one have suggestions on this please?
10-20-2010 07:55 AM
So you presenting the inside server as 192.168.0.15 ?? is that correct. If so you need an access-list to allow the traffic eg.
access-list outside_in permit tcp any host 192.168.0.15 eq http
access-group outside_in in interface outside
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide