Solved

Replacing Checkpoint NG AI Firewall with Cisco ASA 5520

Posted on 2009-05-03
3
1,107 Views
Last Modified: 2013-11-16
Hi

Im trying to replace a checkpoint NG AI Firewall thats securing a web hosting farm with several internal web servers running about 25 web sites.. I wan to replace the Checkpoint with a Cisco ASA 5520, running OS 8. One of the key implementations on the checkpoint that I need to replicate is a port redirection thats in place for all the web sites.. Which maps from a public IP to an internal IP and a different host.. i.e.

On the checkpoint side in destination field there is

www.zzzz.com static NAT to Y public IP.
www.kkk.com static NAT to Q public IP.
www.hhh.com static NAT to K public IP.
And so on for all the web sites..

On the service field there is a custom built service which has a match i.e. under advanced that has this&

SRV_REDIRECT(80,192.168.2.6,82)  
SRV_REDIRECT(82,192.168.2.6,92)  
SRV_REDIRECT(100,192.168.2.2,101)  
SRV_REDIRECT(110,192.168.2.2,111)  
And so on for all the web sites, for both https and http..

I assumed its a simple case of doing a PAT, so on the ASA I setup a static NAT where I put in the public IP on the original source field and on the translated to section inside interface and inside IP and enable PAT and put in the source and destination ports as above.. I also added the usual allow any traffic from any where to the public IP on the outside interface Access list&

All this does not seem to work on the ASA, works fine on the Checkpoint, Im sure Ive got it totally wrong & Any idea ??

Thanks
www.zzzz.com static NAT to Y public IP. 
www.kkk.com static NAT to Q public IP.
www.hhh.com static NAT to K public IP.
 
SRV_REDIRECT(80,192.168.2.6,82)  
SRV_REDIRECT(82,192.168.2.6,92)  
SRV_REDIRECT(100,192.168.2.2,101)  
SRV_REDIRECT(110,192.168.2.2,111)

Open in new window

0
Comment
Question by:MPI-AP
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 24294106
You have the original and translated to backwards.
The original source is the internal 192.168.2.x ip address and the translated to is the public IP.
0
 

Author Comment

by:MPI-AP
ID: 24300681
Hi,

Isn't that the case when its an outgoing NAT i.e. inside host (192.168.2.x) accessing the internet, then we translate from the internal private IP to the external public IP.
What's going on here is the public Internet users are accessing the web sites that are hosted on the internal private IP range. But the users access it via the public IP, each public IP port 80 is mapped to a different port on an internal private IP, so its a sort of a NAT in reverse i.e. outside to inside... And thats the part thats does not work on the ASA.

Thanks

Regards  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 24307179
That's correct. That is called "hairpinning" and is a real challenge with Cisco. The "best" solution is for internal users to just resolve to the private IP addresses using an internal DNS. The 2nd best solution is to use DNS doctoring with external dns server. Key is that the dns servers that the clients use absolutely  must be outside the firewall. Just append the "dns" keyword to the static xlate.
Example:
 static (inside,outside) tcp <public ip> 80 192.168.2.6 82 netmask 255.255.255.255 dns
 static (inside,outside) tcp <public ip> 82 192.168.2.6 92 netmask 255.255.255.255 dns
<etc>
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question