FlyingFortress
asked on
CISCO ASA 5510 - IP REDIRECT
I have a spare public IP that I have set up a static NAT translation to a server on our inside network.
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq www
service-object tcp eq https
access-list inside_access_in extended permit ip any any
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group outside in interface outside
The connection is denied by the ASA. The logs are suggesting an IP Spoof.
2 Sep 10 2010 05:28:18 106016 Deny IP spoof from (99.20.99.150) to 222.111.2.25 on interface outside
It is saying the destination IP address is 0 ???....
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq www
service-object tcp eq https
access-list inside_access_in extended permit ip any any
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group outside in interface outside
The connection is denied by the ASA. The logs are suggesting an IP Spoof.
2 Sep 10 2010 05:28:18 106016 Deny IP spoof from (99.20.99.150) to 222.111.2.25 on interface outside
It is saying the destination IP address is 0 ???....
oops wrong second command
no static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
should have read
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
sorry need coffee
Pete
www.petenetlive.com
no static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
should have read
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
sorry need coffee
Pete
www.petenetlive.com
remove this access-list:
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25
and give this:
access-list
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25
and give this:
access-list
oops.. sorry about that previous reply
remove this access-list:
no access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25
and remove service-object ip from the object-group:
object-group service DM_INLINE_SERVICE_1
no service-object ip
and give this:
access-list outside permit extended permit tcp any host 222.111.2.25 object-group DM_INLINE_SERVICE_1
remove this access-list:
no access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 222.111.2.25
and remove service-object ip from the object-group:
object-group service DM_INLINE_SERVICE_1
no service-object ip
and give this:
access-list outside permit extended permit tcp any host 222.111.2.25 object-group DM_INLINE_SERVICE_1
ASKER
Hi - Sorry please clarify command to remove the current access-list.
Thanks
Thanks
ASKER
Ah sorry its in the command...!
ASKER
I am having and invalid hostname response when adding
access-list outside permit extended permit tcp any host 222.111.2.25 object-group DM_INLINE_SERVICE_1
?
access-list outside permit extended permit tcp any host 222.111.2.25 object-group DM_INLINE_SERVICE_1
?
ASKER
Could this be a routing issue - i do not get ping responses from our external server's ?
ok... object-group varies in different versions.. try this:
access-list outside permit extended permit tcp any host 222.111.2.25 eq 80
access-list outside permit extended permit tcp any host 222.111.2.25 eq 443
instead of the access-list with object group.. remove the earlier access-list and put in the above ones.
access-list outside permit extended permit tcp any host 222.111.2.25 eq 80
access-list outside permit extended permit tcp any host 222.111.2.25 eq 443
instead of the access-list with object group.. remove the earlier access-list and put in the above ones.
and this should be there:
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
ASKER
Sorry
access-list outside permit extended permit tcp any host 222.111.2.25 eq 80
come back with a syntax error
access-list outside permit extended permit tcp any host 222.111.2.25 eq 80
come back with a syntax error
ASKER
Invalid host - Is this because i do not have an 'access list outside' i cannot see it in the running config..
oops.. my bad.. the command is:
access-list outside extended permit tcp any host 222.111.2.25 eq 80
access-list outside extended permit tcp any host 222.111.2.25 eq 443
sorry for that typo..
access-list outside extended permit tcp any host 222.111.2.25 eq 80
access-list outside extended permit tcp any host 222.111.2.25 eq 443
sorry for that typo..
ASKER
No problem - its usually me!
The commands were applied but still no connection....? i am testing from within the LAN so wondering if it is something to do with the access list outside or general routing issue ......
Thanks FF
The commands were applied but still no connection....? i am testing from within the LAN so wondering if it is something to do with the access list outside or general routing issue ......
Thanks FF
can you just paste in your current show run with the changes made.. just to verify if everything is in place..
ASKER
Sure
ASA Version 8.2(1)
!
hostname OVERWALL
domain-name default.domain.invalid
enable password L3jXBIU9.f/KXdjK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description Gateway
speed 10
duplex full
nameif outside
security-level 0
ip address 88.88.90.150 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 222.111.20.20
name-server 222.111.20.21
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP
description RDP 3389
service-object tcp eq 3389
access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 88.88.90.150 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.50.99 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.50.99 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password H1kZZCYIzbxYpUC2 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b428b107637 e6ca9953e8 2055ea5a0e 2
: end
ASA Version 8.2(1)
!
hostname OVERWALL
domain-name default.domain.invalid
enable password L3jXBIU9.f/KXdjK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description Gateway
speed 10
duplex full
nameif outside
security-level 0
ip address 88.88.90.150 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 222.111.20.20
name-server 222.111.20.21
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP
description RDP 3389
service-object tcp eq 3389
access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 88.88.90.150 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.50.99 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.50.99 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password H1kZZCYIzbxYpUC2 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b428b107637
: end
ok... put these commands in:
access-group outside in interface outside
no static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
no static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
this should work...
access-group outside in interface outside
no static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
no static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
this should work...
ASKER
Sorry still no joy - definitely no static?
yea.. since i can see static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255 already there in your config... you can go ahead and remove the other two..
so ideally you should only have:
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
access-group outside in interface outside
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
for this to work.
so ideally you should only have:
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
access-group outside in interface outside
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
for this to work.
interface Ethernet0/0
description Gateway
speed 10
duplex full
nameif outside
security-level 0
ip address 88.88.90.150 255.255.255.248
...
route outside 0.0.0.0 0.0.0.0 88.88.90.150 1
You should change default route on firewall not to point to outside interface (88.88.90.150), but to IP of the interface of internet router connected to outside interface.
description Gateway
speed 10
duplex full
nameif outside
security-level 0
ip address 88.88.90.150 255.255.255.248
...
route outside 0.0.0.0 0.0.0.0 88.88.90.150 1
You should change default route on firewall not to point to outside interface (88.88.90.150), but to IP of the interface of internet router connected to outside interface.
shitz... i dint notice that!! good one bjove!!! that is a point of concern...
ASKER
10-4 on the access list command ullas.
So the interface Ethernet0/0 is connected directly to the LES line router's Ethernet port.
On our previous eSoft firewall the ISP wan settings were as following:
Assign static IP - True
IP Address - 88.88.90.150
Subnet - 255.255.255.248
Gateway IP Address - 88.88.90.153
So I should point at the gateway IP....
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1
(So you assumed that because the IP of the interface was also the route outside then it could not be the router ip?....)
Also doe the 1 at the end of the statement assign the order for a failover ?
Thanks
So the interface Ethernet0/0 is connected directly to the LES line router's Ethernet port.
On our previous eSoft firewall the ISP wan settings were as following:
Assign static IP - True
IP Address - 88.88.90.150
Subnet - 255.255.255.248
Gateway IP Address - 88.88.90.153
So I should point at the gateway IP....
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1
(So you assumed that because the IP of the interface was also the route outside then it could not be the router ip?....)
Also doe the 1 at the end of the statement assign the order for a failover ?
Thanks
yea your right your route should be:
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1
the 1 is the administrative distance for this route. Valid values range from 1 to 255. The default value is 1.
since it is static route it takes metric 1. directly connected network metric is 0 and various routing protocols have various metrics...
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1
the 1 is the administrative distance for this route. Valid values range from 1 to 255. The default value is 1.
since it is static route it takes metric 1. directly connected network metric is 0 and various routing protocols have various metrics...
"So you assumed that because the IP of the interface was also the route outside then it could not be the router ip?....)"
- Yes.
"route outside 0.0.0.0 0.0.0.0 88.88.90.153 1"
- This is proper default gateway. 1 is route metric, so if you have more than one route for same subnet, ASA uses the one with lowest metric (usualy used together with dynamic routing).
- Yes.
"route outside 0.0.0.0 0.0.0.0 88.88.90.153 1"
- This is proper default gateway. 1 is route metric, so if you have more than one route for same subnet, ASA uses the one with lowest metric (usualy used together with dynamic routing).
ASKER
Understood.
Shame I did that.
Makes sense that the ASA regarded the internal request as a spoof now as it routed back on itself.
* Apart from the static NAT route the office clients did not have any major connectivity to the net - just a little surprised if I was not routing out through the router....
I connected the eSoft back before I left town tonight so will not be able to confirm the results till Monday.
Thanks
Shame I did that.
Makes sense that the ASA regarded the internal request as a spoof now as it routed back on itself.
* Apart from the static NAT route the office clients did not have any major connectivity to the net - just a little surprised if I was not routing out through the router....
I connected the eSoft back before I left town tonight so will not be able to confirm the results till Monday.
Thanks
ASKER
Ok, when I cleansed the IP's on my config I duplicated the IP on the interface0/0. Sorry
So the route outside was correct....
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1
The only clues i have is that the log is treating the inbound connection as a spoof and the server is failing to detect the proxy.
So the route outside was correct....
route outside 0.0.0.0 0.0.0.0 88.88.90.153 1
The only clues i have is that the log is treating the inbound connection as a spoof and the server is failing to detect the proxy.
ASKER
For testing sakes I have just attempted to set up a static route through to a client terminal with RDP.
access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
access-list outside extended permit tcp any host 222.111.2.25 eq ftp
access-list outside extended permit tcp any host 222.111.2.25 eq 3389
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.50.96 netmask 255.255.255.255
This also failed and have checked the inbound log and getting the same message -
2 Sep 13 2010 08:34:24 106016 Deny IP spoof from (88.88.90.158) to 222.111.2.26 on interface outside
I also have the same message for the .25 address
Thanks
access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host 222.111.2.25 eq www
access-list outside extended permit tcp any host 222.111.2.25 eq https
access-list outside extended permit tcp any host 222.111.2.25 eq ftp
access-list outside extended permit tcp any host 222.111.2.25 eq 3389
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.50.96 netmask 255.255.255.255
This also failed and have checked the inbound log and getting the same message -
2 Sep 13 2010 08:34:24 106016 Deny IP spoof from (88.88.90.158) to 222.111.2.26 on interface outside
I also have the same message for the .25 address
Thanks
ASKER
Sorry this line also
access-list outside extended permit tcp any host 222.111.2.26 eq 3389 for the RDP
access-list outside extended permit tcp any host 222.111.2.26 eq 3389 for the RDP
106016 Error Message %ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.
Explanation This message is generated when a packet arrives at the adaptive security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the adaptive security appliance interface. In addition, this message is generated when the adaptive security appliance discarded a packet with an invalid source address, which may include one of the following or some other invalid address:
•Loopback network (127.0.0.0)
•Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
•The destination host (land.c)
To further enhance spoof packet detection, use the icmp command to configure the adaptive security appliance to discard packets with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.
Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
Explanation This message is generated when a packet arrives at the adaptive security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the adaptive security appliance interface. In addition, this message is generated when the adaptive security appliance discarded a packet with an invalid source address, which may include one of the following or some other invalid address:
•Loopback network (127.0.0.0)
•Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
•The destination host (land.c)
To further enhance spoof packet detection, use the icmp command to configure the adaptive security appliance to discard packets with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.
Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
ASKER
I have added a static IP address of my terminal on the LAN as this was the only way that I could access the CLI through my SSH client.
I am also sending the requests from the same terminal.
ssh 192.168.50.99 255.255.255.255 inside
Is the netmask the issue?
I am also sending the requests from the same terminal.
ssh 192.168.50.99 255.255.255.255 inside
Is the netmask the issue?
so are you trying to acces 222.111.2.26 from 192.168.50.99?
ASKER
That is just where I am testing from its my terminal at work (And where I am connecting to the CLI) . With the esoft firewall the same service was set up but it would still connect from a client on the lan as the request would formally route out through the gateway and then back in.
The server I am trying to connect to is a BOMGAR support server which has a web front end and the IP 2xx.xxx.x.25 is just not resolving through the ASA as documented.
Is there a fundemental floor with the basic routing set up?
The server I am trying to connect to is a BOMGAR support server which has a web front end and the IP 2xx.xxx.x.25 is just not resolving through the ASA as documented.
Is there a fundemental floor with the basic routing set up?
so i just tried http to that ip and i am able to get the portal. so it is accessible from the outside. so you should be able to access it on 192.168.50.5 from the inside. and if you are trying to access the server on its public ip from the inside then there is an other set of commands you need to put in....
ASKER
Ah ok.
I can get to the IP from the LAN 192.168.50.5 no problem....
So additional commands are needed just for internal network to route out?
Cheers
I can get to the IP from the LAN 192.168.50.5 no problem....
So additional commands are needed just for internal network to route out?
Cheers
ok so this is what happens when you try to access 217.169.2.25 from the internal network....
you have this:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
so your having source nat, so when you go to the internet your private ip will be changed to the interface ip ie. 88.88.90.150.
now when you access 2xx.xxx.x.25 the request goes to the internet with a source ip of 88.88.90.150 and when the internet routes it back to the firewall the firewall sees the source ip is 88.88.90.150 and it is the firewalls interface ip so it thinks that some attacker in the internet has spoofed the ip and is trying to compromise the server so it drops the packet. that is how a firewall is supposed to behave.
you have this:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
so your having source nat, so when you go to the internet your private ip will be changed to the interface ip ie. 88.88.90.150.
now when you access 2xx.xxx.x.25 the request goes to the internet with a source ip of 88.88.90.150 and when the internet routes it back to the firewall the firewall sees the source ip is 88.88.90.150 and it is the firewalls interface ip so it thinks that some attacker in the internet has spoofed the ip and is trying to compromise the server so it drops the packet. that is how a firewall is supposed to behave.
if you want your internal ip to access the server via its external ip then put in these commands.
static (inside,inside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
same-security-traffic permit intra-interface
static (inside,inside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
same-security-traffic permit intra-interface
ASKER
Hi I am getting -
mapped-address conflict with existing static
inside:192.168.51.5 to outside:2xx.xxx.x.25 netmask 255.255.255.255
mapped-address conflict with existing static
inside:192.168.51.5 to outside:2xx.xxx.x.25 netmask 255.255.255.255
it should not be a problem... its just a warning.. can you try accessing 2xx.xxx.x.25 from inside...
ASKER
Sure unfortunatley the same SPOOF msg.
hope you put this command too:
same-security-traffic permit intra-interface
can you attach the output of :
sh run static
same-security-traffic permit intra-interface
can you attach the output of :
sh run static
ASKER
Yep and it is in the running config
static (inside,inside) tcp 222.111.2.25 www 192.168.51.5 www netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255
static (inside,inside) tcp 222.111.2.25 www 192.168.51.5 www netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255
hope you were trying http...
ASKER
Yes and with https
no static (inside,inside) tcp 222.111.2.25 www 192.168.51.5 www netmask 255.255.255.255
static (inside,inside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
give in these two commands and try....
static (inside,inside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
give in these two commands and try....
ASKER
Done, the second had a conflict error. unfortunately same error. Sorry
ASKER
Sorry - static (inside,inside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
Should that be (inside,inside) - Just thought i would check
Should that be (inside,inside) - Just thought i would check
yea it should be.. inside,outside is for traffic from the outside and inside,inside should be for traffic from inside.
ASKER
Ok thanks. So just to clarify here is the statics
static (inside,outside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255
static (inside,inside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,inside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255
static (inside,outside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,outside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255
static (inside,inside) 222.111.2.25 192.168.51.5 netmask 255.255.255.255
static (inside,inside) 222.111.2.26 192.168.51.96 netmask 255.255.255.255
ASKER
WIthin the ASDM the anti-spoofing is set to 'no'
Should this be enabled for this command to be effective - (same-security-traffic permit intra-interface) ?
Should this be enabled for this command to be effective - (same-security-traffic permit intra-interface) ?
well.. last try... give in these commands...
access-list server_ext permit ip 192.168.50.0 255.255.255.0 host 2xx.xxx.x.25
nat (inside) 10 access-list server_ext
global (inside) 10 interface
and then try.... http on 2xx.xxx.x.25
access-list server_ext permit ip 192.168.50.0 255.255.255.0 host 2xx.xxx.x.25
nat (inside) 10 access-list server_ext
global (inside) 10 interface
and then try.... http on 2xx.xxx.x.25
ASKER
It worked!! Genius!
Do I remove the static entries?
So my understanding is that you created an access list (server_ext) and permitted the whole subnet through a host table (Like what you can do on your client pc) and then added it to the access list to the nat table. Or something like that...
Do I remove the static entries?
So my understanding is that you created an access list (server_ext) and permitted the whole subnet through a host table (Like what you can do on your client pc) and then added it to the access list to the nat table. Or something like that...
ASKER
Ah no the statics are still required for sure
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Brillant.
So I have added the additional static routes through the Firewall and then added the IP's to the access-list.
I take it you can have as many access lists as you wish?
So I will always have to add the following
Step 1.
access-list outside extended permit tcp any host (PUBLIC_IP) eq (PORT)
Step 2. (Static routes)
static (inside,outside) (PUBLIC_IP) (LAN_IP) netmask 255.255.255.255 (Routes outside to inside)
static (inside,inside) (PUBLIC_IP) (LAN_IP) netmask 255.255.255.255 (Routes inside to inside)
Step 3. (Source translation)
access-list server_ext extended permit ip (LAN SUBNET_IP) 255.255.255.0 host (PUBLIC_IP)
I ave a general idea but please define what the commands here have done (The 10 was a little bit of a curve ball) -
nat (inside) 10 access-list server_ext
global (inside) 10 interface
Thanks v.Much
So I have added the additional static routes through the Firewall and then added the IP's to the access-list.
I take it you can have as many access lists as you wish?
So I will always have to add the following
Step 1.
access-list outside extended permit tcp any host (PUBLIC_IP) eq (PORT)
Step 2. (Static routes)
static (inside,outside) (PUBLIC_IP) (LAN_IP) netmask 255.255.255.255 (Routes outside to inside)
static (inside,inside) (PUBLIC_IP) (LAN_IP) netmask 255.255.255.255 (Routes inside to inside)
Step 3. (Source translation)
access-list server_ext extended permit ip (LAN SUBNET_IP) 255.255.255.0 host (PUBLIC_IP)
I ave a general idea but please define what the commands here have done (The 10 was a little bit of a curve ball) -
nat (inside) 10 access-list server_ext
global (inside) 10 interface
Thanks v.Much
ASKER
Excellent*
no static (inside,outside) tcp 222.111.2.25 www 192.168.50.5 www netmask 255.255.255.255
no static (inside,outside) tcp 222.111.2.25 https 192.168.50.5 https netmask 255.255.255.255
then do this
no static (inside,outside) 222.111.2.25 192.168.50.5 netmask 255.255.255.255
that should do you
Pete
www.petenetlive.com