This is what i'm looking at. I neet to the the server availalbe on the internet through a number of ports. external ip address are different so i'm going to deadicate modem .16 to the server.

The server is on its own vlan so i'd like to publish that vlan.

I have gone agead and physicaly setup the below.

Can you advise the command to enter in the Firewall to publish this server, with port 80. also i have to publish a udp and tcp port. advise would be greatly appriciated.

FYi internet for internal is being routed to/from .17

nicholas.oneill wrote:
This is what i'm looking at. I neet to the the server availalbe on the internet through a number of ports. external ip address are different so i'm going to deadicate modem .16 to the server.
The server is on its own vlan so i'd like to publish that vlan.
I have gone agead and physicaly setup the below.
Can you advise the command to enter in the Firewall to publish this server, with port 80. also i have to publish a udp and tcp port. advise would be greatly appriciated.
FYi internet for internal is being routed to/from .17

Okay, so you don't want failover for the server now ?

The commands on the ASA to "publish" the server to the internet would be -

server real IP = 192.168.160.10

server public IP = 177.10.10.1

static (inside,outside) 177.10.10.1 192.168.160.10 netmask 255.255.255.255

the above will publish all ports so if you want to tie it down to specific ports -

static (inside,outside) tcp 177.10.10.1 80 192.168.160.10 80 netmask 255.255.255.255   <-- would publish http service from server

static (inside,outside) udp 177.10.10.1 53 192.168.160.10 53 netmask 255.255.255.255 <-- would publish DNS service from server

obviously then you also need to allow inbound traffic with an access-list on the outside interface of your firewall.

Jon

Thanks for the responce Jon, great help.

Server failover is ok, we'll worry about that down the line

jon:"obviously then you also need to allow inbound traffic with an access-list on the outside interface of your firewall."

the route isnt defined yet, cant ping modem.

for the route, would it be: route outside1 0.0.0.0 0.0.0.0 192.168.0.16 2 (as i already have a route 1, is this neecessay have a different distance metric?)

in the config below, rout outside with defaults 0.0.0.0 0.0.0.0 is implemented on .17(internet). Am i correct in thinking that if i run the above route, i'll get issues? from cisco notes:

In ASA software Versions 7.0 and later, if you have two default routes configured on different interfaces that have different metrics, the connection to the ASA firewall that is made from the higher metric interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected.

If this is the case, what would the route command be?

for the access-list to allow all: "access-group publish in interface outside1"

Delow: outside1 is the modem .16 interface. outside is the internet,  .17

Firewall# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname Firewall
domain-name default.domain.invalid
enable password H/FviRtGrhZNMBmA encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.0.20 255.255.255.240 standby 192.168.0.21
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.9 255.255.255.248 standby 192.168.0.10
!
interface GigabitEthernet0/2
nameif outside1
security-level 0
ip address 192.168.0.29 255.255.255.224 standby 192.168.0.30
!
interface GigabitEthernet0/3
description LAN Failover Interface
speed 100
duplex full
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu outside1 1500
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 192.168.0.30 netmask 255.255.255.240
nat (inside) 1 192.168.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 192.168.0.17 1
route inside 192.168.0.0 255.255.0.0 192.168.0.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.169.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:dd3a90a25dd7bb4516fe44d4e82bb582
: end
Firewall#

Nicholas

My apologies, i was so busy concentrating on the translations i forgot about the fact an ASA can only have one default-route.

So you have 2 solutions really -

1) use contexts on the ASA and then have a 2nd connection from the other switch with modem 16 and put the server traffic into that context

2) are the switches running in L3 mode or L2 ? If L3 and they are running IP services (which is quite a few ifs i know !) you could run Policy Based Routing  on the switches. So all traffic continues to go through the one outside interface on the ASA and is then sent down the the correct ISP connection via the switches.

Once again apologies for not realising sooner.

Edit - you don't actually need a second connection and a spare interface on the ASA as you can share an interface between contexts but as everything else is redundant if you have the interface it would make sense to use it.

Jon

Ok Jon

sounds like a big job, what if i were to use the current internet outside 17 connection for nat connction to the serer. if you agree, what would the commands for that be, given the config above. need this up by tomorrrow evening!!

If I tunnell the current default line between .17 and outside, can i not add another route, which is not default?

nicholas.oneill wrote:
Ok Jon
sounds like a big job, what if i were to use the current internet outside 17 connection for nat connction to the serer. if you agree, what would the commands for that be, given the config above. need this up by tomorrrow evening!!
If I tunnell the current default line between .17 and outside, can i not add another route, which is not default?

If you use the current connections then you need to use an IP address from that ISPs range - do you have spare one ? If so the commands are as provided before. Or have i misunderstood something ?

Jon

I've switched over to mode multi

internet is up and running.

Have created a second firewall

assigned interfaces and cal ping dsl modem on outside and server inside.

server has a html page through http that i can connect to internally, so i'm trying to get that accessable from outside

i've created nats on dsl modem to allow traffic through and its responding to pings

the below is not working, what am i missing, i think a global outside is needed?

Firewall/FWA# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname FWA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface GigabitEthernet0/2
description Publishing network
nameif A_outside
security-level 0
ip address 192.168.0.14 255.255.255.224
!
interface A_inside
description publishing inside interface to 160 vlan
nameif A_inside
security-level 100
ip address 192.168.160.5 255.255.255.192
!
passwd 2KFQnbNIdI.2KYOU encrypted
pager lines 24
mtu A_inside 1500
mtu A_outside 1500
no asdm history enable
arp timeout 14400
static (A_inside,A_outside) 192.168.0.15 192.168.160.10 netmask 255.255.255.255

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00000000000000000000000000000000
: end
Firewall/FWA#

Hi lads

Any one have suggestions on this please?

So you presenting the inside server as 192.168.0.15 ?? is that correct. If so you need an access-list to allow the traffic eg.

access-list outside_in permit tcp any host 192.168.0.15 eq http

access-group outside_in in interface outside

Jon