Solved

Static Mapping Network Traffic - ASA 5510

Posted on 2006-10-23
10
649 Views
Last Modified: 2007-12-19
Dear Experts,

I have a server outside the network that is used for accounting.
We connect directly to this network via an ISDN line and a simple IBM Router that is pushing all traffic from the inside interface destined for packets 10.x.1.9 via the IBM router which is addressed within our Insdie Interface 10.8.1.1.

In this example I am not using the OUTSIDE Interface of my Cisco 5510 at all.

I just want my internal Accounting department to be able to get to their precious server located in someone else's house.

Here is my running config:

(NOTE:  I have a static route setup)

Route INSIDE 10.x.1.0 255.255.255.0 10.8.1.1. 2

When I attempt a tracert to the network I don't get anywhere but I can ping 10.8.1.1 (probably because the 10.8.1.1 router is connected directly to the same switch that my client is connected, but the Cisco isn't letting packets get to the AS400 network for some reason).


HERE IS THE RUNNING CONFIG:  

asdm image disk0:/asdm505.bin
asdm location WTS1 255.255.255.255 inside
asdm location JRA-XSERVE1 255.255.255.255 inside
asdm location ATROPOS 255.255.255.255 inside
no asdm history enable
: Saved
:
ASA Version 7.0(5)
!
hostname ciscoasa
domain-name jrabbott.com
enable password 1q1dWhr/XLfzW0/Y encrypted
names
name 10.8.1.6 WTS1 description Citrix Server
name 10.8.1.20 ATROPOS description Database Server
name 10.8.1.8 JRA-XSERVE1 description MAIL SERVER
dns-guard
!
interface Ethernet0/0
 description ISP / Route
 nameif outside
 security-level 0
 ip address 208.x.x.100 255.255.255.248
!
interface Ethernet0/1
 description Network Traffic
 nameif inside
 security-level 100
 ip address 10.8.1.50 255.255.255.0
!
interface Ethernet0/2
 description Web Application Server / Front-End Exchange Server
 nameif Exchange
 security-level 50
 ip address 10.8.2.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone pst -8
same-security-traffic permit inter-interface
object-group service RDP tcp-udp
 description Remote Desktop (Terminal Services)
 port-object range 3389 3389
access-list INBOUND extended permit tcp any interface outside eq smtp
access-list INBOUND extended permit tcp any interface outside eq www
access-list INBOUND extended permit tcp any interface outside eq pop3
access-list INBOUND extended permit tcp any interface outside eq imap4
access-list INBOUND extended permit tcp any interface outside eq 993
access-list INBOUND extended permit tcp any interface outside eq 88
access-list INBOUND extended permit tcp any interface outside eq ldap
access-list INBOUND extended permit tcp any interface outside eq ldaps
access-list INBOUND extended permit tcp any interface outside eq 3389
access-list INBOUND extended permit tcp any interface outside eq 1604
access-list INBOUND extended permit tcp any interface outside eq citrix-ica
access-list INBOUND extended permit icmp any any echo-reply
access-list INBOUND extended permit icmp any any unreachable
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Exchange 1500
mtu management 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface Exchange
monitor-interface management
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.8.1.0 255.255.255.0
nat (management) 0 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp JRA-XSERVE1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www JRA-XSERVE1 www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 JRA-XSERVE1 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface imap4 JRA-XSERVE1 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface 993 JRA-XSERVE1 993 netmask 255.255.255.255
static (inside,outside) tcp interface 88 JRA-XSERVE1 88 netmask 255.255.255.255
static (inside,outside) tcp interface ldap JRA-XSERVE1 ldap netmask 255.255.255.255
static (inside,outside) tcp interface ldaps JRA-XSERVE1 ldaps netmask 255.255.255.255
static (inside,outside) tcp interface 3389 ATROPOS 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1604 WTS1 1604 netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica WTS1 citrix-ica netmask 255.255.255.255
static (Exchange,outside) 208.x.x.99 10.8.2.10 netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 208.x.x.97 1
route inside 10.1.1.0 255.255.255.0 10.8.1.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcprelay server 10.8.1.10 outside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:0ab17d9c02c43045fb9b41d7901a3efa
: end

As an aside I am having trouble with my email through the IMAP clients as well - any thoughts about why that would be bad?
All ports opened and configured I can only think that maybe my local DNS needs to change, but I can't get mail to my clients but they can send email out through the server.

Anyway, thanks to all of you.
Very helpful people.

Pete
0
Comment
Question by:peter_ophoven
  • 5
  • 4
10 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
firewall thing first,

let me get this straight, is this how your network is laid out


             Internet
                  |
                ASA
                   |
                 LAN <-> Router -> AS400 network

And the ASA as the network gateway.  If this is how it is laid out then you cannot ever get to it.  The ASA is not a router, its a security device.  A packet cannot go in and then out the same interface.  You'd either need to reconfigure the network to use another interface on the ASA and run the traffic thru that, add a simple router to the network with the appropriate routes added to it, or configure the ibm router with everything and make that the gateway.
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
as for the imap issue, any log messages.  hard to help with so little information.  if suspect dns run,
nslookup <fqdn of imap server>
and see if it resolves correctly. to ensure port is open run
telnet <ip of imap server> 143
do you use ssl, etc.  just need for information
0
 
LVL 44

Expert Comment

by:scrathcyboy
Comment Utility
Go into the Cisco setup and setup the AS400 IP domain as a DMZ on the cisco.  Now the PCs that need to address this second IP domain ca, simply by using the direct address --

xcopy C:\*.* \\10.x.1.9\AS400\user\dir\backup\ /s/e

and you substitute x for the real IP address you want to access, it ust be a reachable IP for this to work.
0
 

Author Comment

by:peter_ophoven
Comment Utility
If the ASA is configured as the default gateway for my LAN and for my users on the network can't I just specify the IP's that are destined for that subnet are to be directed to that router.

This seems like a very simple request I find it hard to believe that the device is incapable of handling this type of configuration.

0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
you'd have to push out route add's for all of the clients.  Cisco does security differently and like I mentioned before, the ASA is a security device, not a routing device.  thus you can't do this with a Cisco firewall
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:peter_ophoven
Comment Utility
But as you mentioned I could use a separate interface on the ASA.

Create an interface that specifically routes data from inside the LAN directly to the IBM Router.

INTERFACE ID:  ACCOUNTING
IP address:  10.8.1.1
Security would be 50

And then connect the IBM Router Ethernet directly to the interface port on the ASA.

I would have to give it a different IP address since I cannot have the same IP subnet be associated with a different interface than the INSIDE interface which is already configured as 10.8.1.50.

I could reconfigure the IBM router to an id of 10.8.3.2 and then give this new interface 10.8.3.1 and then create a Static Route for all traffic destined for 10.x.x.0 to go through the ACCOUNTING Interface.

Would this work - or would the route be a "directly connected" static route?

          INTERNET
               |
               |
             ASA----IBM ROUTER --- AS400
               |
               |
             LAN
 
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
you'd need to make the static route on the ASA so that it knows where to find that network otherwise it'll use the default route that is setup.  you're on the right track

the other part of the setup would be
static (inside,accouting) 10.8.2.0 10.8.2.0 netmask 255.255.255.0
static (accounting,inside) 10.8.3.0 10.8.3.0 netmask 255.255.255.0
clear xlate

those entries will ensure that translations can occur (although its effectively a nonat between the two interfaces).  you don't need to add acls either as the implicit rules will allow for the traffic to pass.  the clear xlate just clears the translation table to ensure that there is no confusions with old translation mappings
0
 

Author Comment

by:peter_ophoven
Comment Utility
Based upon my running configuration - wouldn't it be:

Outside Inteface = 208.xxx.xxx.100
Insdie Interface = 10.8.1.50
DMZ / Exchange = 10.8.2.1
Accounting Interface = 10.8.3.1

static (inside,accounting) 10.8.1.0 10.8.1.0 netmask 255.255.255.0
static (accounting,inside) 10.8.3.0 10.8.3.0 netmask 255.255.255.0
!!! since my inside interface is 10.8.1.0 and my accounting interface is 10.8.3.0

!!!and then my static route (to tell the asa "don't send this traffic to the default route")
route inside 10.x.x.0 255.255.255.0 10.8.3.2 1 (metric 1)

assuming the IBM router IP is changed to 10.8.3.2
assuming the AS400 is 10.x.x.0 and available

Then my clients will be able to connect via this method?

0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
Comment Utility
yup, sorry, i accidentally looked at the wrong interface when I grabbed the ip

the other thing though is
route inside 10.x.x.0 255.255.255.0 10.8.3.2 1
should be
route accounting 10.x.x.0 255.255.255.0 10.8.3.2 1

this is since it will find the next hop out the accounting interface.  your clients should then be able to communicate
0
 

Author Comment

by:peter_ophoven
Comment Utility
You rock Cyclops.
I thought about the Accounting interface for my static route, and I was going to ask but I figured you would correct me.

Thanks.

I will try and let you know how it all goes.  Lots to do.
Little time in a production environment.

Pete
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now