Solved

Cisco ASA5505 NAT Rule and Reverse Proxy

Posted on 2010-09-10
19
3,433 Views
Last Modified: 2012-05-10
Wondering if someone can help me with the proper commands to run on a ASA5505 to create some NAT Rules and a Reverse Proxy.  I am still in the process of learning.  Your help is very much appreciated.
Public IP          Local IP

75.149.66.202  =>  192.168.1.41 on Port# 5061 and 443

75.149.66.203  =>  192.168.1.42 on Port# 443

75.149.66.204  =>  192.168.1.43 on Port# 443



Reverse Proxy:

Public IP          Local IP

75.149.66.205  =>  192.168.1.40

Open in new window

0
Comment
Question by:obautista
  • 10
  • 6
  • 3
19 Comments
 
LVL 4

Accepted Solution

by:
ullas_unni earned 400 total points
Comment Utility
static (inside,outside) tcp 75.149.66.202 5061 192.168.1.41 5061 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.202 443 192.168.1.41 443 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.203 443 192.168.1.42 443 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 443 192.168.1.43 443 netmask 255.255.255.255

traffic to these ports on these public ip's should be allowed in the outside access-list in the in direction

this should solve the NAT issue.

and i dint get much about what you mean by reverse proxy.. if you could elaborate it...!!!??
0
 

Author Comment

by:obautista
Comment Utility
I have attached my current running-config just to show my current configuration.  Specifically, just want to make sure the netmask you indicate will work in my environment.  My outside subnet is 255.255.255.248.  I am assuming the 255.255.255.255 is okay.  My current running config shows how I have it set up and working today.  Thanks for the clarification.

Regarding the reverse proxy.  If I understand correctly, Reverse Proxy on an ASA is just another NAT rule, correct?  The jist of Reverse Proxy is to just proxy in-bound traffic (traffic from the outside to an internal IP (or Server), correct?  

Basically, I am setting up a Test Office Communications Server.  Recommended way is to use ISA to handle the proxy, but I want to just do it on the ASA for the time being.
ASA Version 8.2(1)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password ** encrypted

passwd ** encrypted

names

name 192.168.1.6 HTTP_ACCESS

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 75.149.66.201 255.255.255.248

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

object-group service HTTP tcp

 port-object eq www

access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp

access-list outside-access-in extended deny ip any any log

access-list INSIDE extended permit ip any any

access-list HTTP_access extended permit tcp any interface outside eq https inactive

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm623.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255

access-group INSIDE in interface inside



route outside 0.0.0.0 0.0.0.0 75.149.66.206 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console LOCAL

http server enable 448

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint localtrust

 enrollment self

 crl configure

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point localtrust outside

webvpn

 port 500

 enable inside

 enable outside

 svc image disk0:/AnyConnect-Windows.pkg 1

 svc enable

 tunnel-group-list enable

group-policy cisco internal

group-policy cisco attributes

 dns-server value 192.168.1.2

 vpn-tunnel-protocol svc webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value cisco_splitTunnelAcl

 default-domain value techblendshost

 address-pools value RemoteClientPool

username test1 password ** encrypted privilege 15

username admin password ** encrypted privilege 15

username obautista password ** encrypted privilege 15

username obautista attributes

 vpn-group-policy cisco

tunnel-group cisco type remote-access

tunnel-group cisco general-attributes

 address-pool RemoteClientPool

 default-group-policy cisco

tunnel-group cisco ipsec-attributes

 pre-shared-key *

!

class-map global-class

 match default-inspection-traffic

!

!

policy-map global_policy

policy-map global-policy

 class global-class

  inspect ftp

!

prompt hostname context

Cryptochecksum:**

: end

ciscoasa#

Open in new window

0
 
LVL 4

Assisted Solution

by:ullas_unni
ullas_unni earned 400 total points
Comment Utility
ok.. so about 255.255.255.255 it is netmask and not subnetmask... it just indicates its a host ip and not a range or subnet.. so that is correct..

about the proxy.. i think what you need is a another static... if my understanding is correct you want outside users to access http on 75.149.66.205 and it should convert to 192.168.1.40 internally..

if that is what you want then it is :

static (inside,outside) 75.149.66.203 80 192.168.1.42 netmask 255.255.255.255

and now about the access list you should have these entries:

access-list outside-access-in extended permit tcp any host 75.149.66.202 eq 5061
access-list outside-access-in extended permit tcp any host 75.149.66.202 eq 443
access-list outside-access-in extended permit tcp any host 75.149.66.203 eq 443
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 443
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port no> *

* you dint mention the port it uses??




0
 
LVL 4

Assisted Solution

by:ullas_unni
ullas_unni earned 400 total points
Comment Utility
oops that static is actually:

static (inside,outside) 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255
0
 

Author Comment

by:obautista
Comment Utility
Regarding the reverse proxy, did you mean:
static (inside,outside) 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255

instead of:
static (inside,outside) 75.149.66.203 80 192.168.1.42 netmask 255.255.255.255

Why do you mention I need another static?
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 100 total points
Comment Utility
Presuming a/ that your external interface name is "outside" and your internal one is "inside". b/ that you want all hosts apart from the proxy to go out through the interface IP

access-list nat-in-202-5061 extended permit tcp any host 192.168.1.41 eq 5061
access-list nat-in-202-443 extended permit tcp any host 192.168.1.41 eq 443
access-list nat-in-203-443 extended permit tcp any host 192.168.1.42 eq 443
access-list nat-in-204-443 extended permit tcp any host 192.168.1.43 eq 443

access-list acl-in extended permit tcp any host 75.149.66.202 eq 5061
access-list acl-in extended permit tcp any host 75.149.66.202 eq 443
access-list acl-in extended permit tcp any host 75.149.66.203 eq 443
access-list acl-in extended permit tcp any host 75.149.66.204 eq 443

access-list proxy-out extended permit ip 192.168.1.40 any

access-list outbound extended permit ip any any

global (outside) 1 interface
global (outside) 2 75.149.66.205


nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 2 access-list proxy-out

static (inside,external) tcp 75.149.66.202 5061 access-list nat-in-202-5061
static (inside,external) tcp 75.149.66.202 443 access-list nat-in-202-443
static (inside,external) tcp 75.149.66.203 443 access-list nat-in-203-443
static (inside,external) tcp 75.149.66.204 443 access-list natl-in-204-443

access-group outbound in interface inside
access-group acl-in in interface outside
0
 
LVL 4

Expert Comment

by:ullas_unni
Comment Utility
yup thts right!!
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
after posting, I see that others have already commented...

I understood what you meant by reverse proxy, was that you want outbound traffic to appear on a specific address. On reading the extra that you have added, I think you might just want another static NAT...

0
 

Author Comment

by:obautista
Comment Utility
ArneLovius, do the commands you posted do the exact same thing the commands ullas_unni posted?  Meaning I can run either to get the same results.

Thanks again -
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:obautista
Comment Utility
Sorry, last question - does this command need the "tcp" in front of the external IP:

static (inside,outside) 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255

I.E.
static (inside,outside) tcp 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255
0
 
LVL 4

Expert Comment

by:ullas_unni
Comment Utility
not necessary.. but may i know what port will it be using??
0
 

Author Comment

by:obautista
Comment Utility
Not sure on the port, but that is simply indicating the right port on these commands, right?

static (inside,outside) 75.149.66.205 <port> 192.168.1.40 <port> netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port>
0
 
LVL 4

Expert Comment

by:ullas_unni
Comment Utility
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port no> *

* you dint mention the port it uses??
0
 
LVL 4

Expert Comment

by:ullas_unni
Comment Utility
ok so this is how it works if you have static (inside,outside) tcp ... then you need to mention the ports otherwise if you have static(inside,outside) without the tcp then it takes for all ports.. basically ip...
so either you can mention the port on the access-list or the static.

static (inside,outside) tcp 75.149.66.205  192.168.1.40  netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq  
0
 
LVL 4

Expert Comment

by:ullas_unni
Comment Utility
ignore the extra 3 <port> after the accesslist.. it was a typo...
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
yes it is functionally the same, but with a layer of abstraction, which can help make it clearer (or make it worse depending on your view)
0
 
LVL 4

Expert Comment

by:ullas_unni
Comment Utility
ok if you know the ports this should be it:
static (inside,outside) tcp 75.149.66.205 <port> 192.168.1.40 <port> netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port>

if you  dont know the ports:
static (inside,outside) 75.149.66.205 192.168.1.40 netmask 255.255.255.255
access-list outside-access-in extended permit ip any host 75.149.66.205

knowing the ports makes it more secure since you only open the required ports and block communications in any other ports for that ip
0
 
LVL 4

Assisted Solution

by:ullas_unni
ullas_unni earned 400 total points
Comment Utility
so ideally for your nat issue this should do the trick:

static (inside,outside) tcp 75.149.66.202 5061 192.168.1.41 5061 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.202 443 192.168.1.41 443 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.203 443 192.168.1.42 443 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 443 192.168.1.43 443 netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.202 eq 5061
access-list outside-access-in extended permit tcp any host 75.149.66.202 eq 443
access-list outside-access-in extended permit tcp any host 75.149.66.203 eq 443
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 443

and the Test Office Communications Server thing this should be it:

static (inside,outside) 75.149.66.205 192.168.1.40 netmask 255.255.255.255
access-list outside-access-in extended permit ip any host 75.149.66.205

since you dont know the ports for it
0
 

Author Closing Comment

by:obautista
Comment Utility
Thanks a lot.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now