ASA 5510

kingshuksinha
kingshuksinha used Ask the Experts™
on
Dear all,
Scenario is: (user traffic from outside) internet---->router-->(20x.xx.xxx.27)ASA5510 7.(2), ASDM ver 5.2----->DMZ. In dmz 3 servers r present with different ip add. series is 172.16.16.50 to 172.16.16.59. our webserver is 172.16.16.52 hosting different services like www,8080,21,5080 & am able to access each services from outside using the ip 20x.xx.xxx.27).Its a free ip address from ISP. But my question is am having other servers like 172.16.16.55,172.16.16.56,172.16.16.59 each hosting other services & unable to access these services from 20x.xx.xxx.27.
with one single public ip add. want to access all the servers present in DMZ using ASDM 5.2 or CLI. but right now if i static NAT its overlapping. please provide me a solution..its very urgent..

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
With one public ip, only one server and one service can be natted on a firewall...suppose if one webserver is using port 80 and one smtp server is using port 25 then we can nat both these server on public ip address....but if there are two webservers using port 80 then you will need two public ip address to host them on a public network...for resolution of your issue ....kindly post your firewall configuration...
What you want to do sounds achievable. It would be good to see your current NAT rule to identify the problem. If you are using a 1 to 1 NAT, you will need to remove this and setup seperate PAT's for each of the services on the existing NAT that are in use. Then you can add different PAT's for each of the new services.

Depending on if the servers are initiating connections, you will need to setup a dynamic nat for the outbound traffic aswell.

I suspect you may have the following.

static (DMZ,outside) 20x.xx.xxx.27 172.16.16.52 netmask 255.255.255.255

Try changing this to

static (DMZ,outside) tcp 20x.xx.xxx.27 80 172.16.16.52 80 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 21 172.16.16.52 21 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 8080 172.16.16.52 8080 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 5080 172.16.16.52 5080 netmask 255.255.255.255

Then you should be able to add the PAT's for the other services. The IP 20x.xx.xxx.27 may be replaced with the interface keyword.

Author

Commented:
Dear Interax,
Please check the config. whatever u said its working.what i need is from 20x.xx.xxx.27 ip i want to access other servers present in DMZ i.e.,172.16.16.55 hosting different services as well as 172.16.16.52. How to do this? wheather it is possible or not? if yes then how?

warm regards
king


AGNI# sh run
: Saved
:
ASA Version 7.2(1)
!
hostname AGNI
domain-name default.domain.invalid
enable password 7RXhoo7jvAq1B7f7 encrypted
names
dns-guard
!
interface Ethernet0/0
 description Connected to WAN
 nameif outside
 security-level 0
 ip address 202.xx.xxx.30 255.255.255.248
!
interface Ethernet0/1
 nameif
 security-level
 ip address
!
interface Ethernet0/2
 description Connected to DMZ
 nameif dmz
 security-level 50
 ip address 172.xx.xx.47 255.255.0.0
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd 7RXhoo7jvAq1B7f7 encrypted
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service bugzilla tcp
 port-object range 8080 8080
object-group service MySQL tcp
 port-object range 3306 3306
object-group service VideoConference tcp
 description Aparoksha
 port-object range 5080 5080
 port-object range 8080 8080
 port-object range 1935 1935
object-group service OTRS tcp
 description CoOptions Open Source Ticketing Server
 port-object range 1935 1935
 port-object range 5080 5080
access-list nonat extended permit ip host 172.16.16.52 any

access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ft
p
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ft
p-data
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ww
w
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 range
 8080 8081
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq 50
80
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq 19
35
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.29 objec
t-group VideoConference
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ch
argen
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.28 objec
t-group VideoConference
access-list outside_access-in extended permit tcp any host 202.xx.xxx.29 eq www
access-list outside_access_in extended permit tcp any host 202.xx.xxx.29 eq ftp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host 172.16.16.52 host 192.168.100
.9 object-group MySQL
logging enable
logging trap informational
logging asdm informational
logging facility 22
logging message 103012 level alerts
mtu outside 1500
mtu Inside 1500
mtu dmz 1500
ip verify reverse-path interface outside
asdm image disk0:/asdm521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 172.16.0.0 255.255.0.0
alias (dmz) 172.xx.xx.53 202..xx.xx..29 255.255.255.255
static (dmz,outside) 202.xx.xxx.27 172.xx.xx.52 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.29 172.xx.xx.55 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.28 172..xx.xx..56 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
access-group Inside_access_in in interface Inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 202.63.102.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
http server enable
http 172..xx.xx..52 255.255.255.255 dmz parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
tftp-server dmz 172.16.16.52 C:\CiscoKits\TFTPServer
webvpn
prompt hostname context
Cryptochecksum:48bb22ca3f666410c78be5eb39169d41
: end
AGNI#
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

These are 1 to 1 nat's.

static (dmz,outside) 202.xx.xxx.27 172.xx.xx.52 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.29 172.xx.xx.55 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.28 172..xx.xx..56 netmask 255.255.255.255

What you need to do is use PAT.

What ports on what servers do you need to publish?
Do you own .29 & .28?

Author

Commented:
Dear InteraX,

Sir can we do like this

static (dmz,outside) 202.xx.xxx.27 172.xx.xx.52 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.27 172.xx.xx.55 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.27 172..xx.xx..56 netmask 255.255.255.255

Sir all i want is that 172.16.16.52, 55, 56 should be accessible using one public ip ie,202.xx.xxx.27

how to do  PAT.

What ports on what servers do you need to publish?
we own .29 & .28 but due to video conferencing & others.
If you want to have services on 52, 55 and 56 accesslible on 202.xx.xxx.27, you need to remove the existing NAT config and add soem PAT rules for each port that services are run on.

The following will remove the NAT config for 202.xx.xxx.27 and setup PAT for the existing services you mentioned above.

no static (DMZ,outside) 20x.xx.xxx.27 172.16.16.52 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 80 172.16.16.52 80 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 21 172.16.16.52 21 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 8080 172.16.16.52 8080 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 5080 172.16.16.52 5080 netmask 255.255.255.255

Before you can add the other servers as PAT on 202.xx.xxx.27 you will need to remove the NAT on 202.xx.xxx.29 & 202.xx.xxx.28. I don't know what this will do existing services on these server without knowing what ports you want to appear on which IP.

Author

Commented:
Dear InteraX,

Thanks a lot for all ur inputs...Appeciate ur answers...
Actually i was in doubt wheather to add PAT or not because in ACL it is already  mentioned...
Late according to u i changed & its working fine....

If u dont mind i ve one more doubt....
tk for example i ve 202.xx.xxx.29 & 28 public ip's with different services hosted on 172.16.16.55 & 59 in dmz.
can we redirect the traffic to 202.xx.xxx.27. According to me its not possible.isn't it cos the services r hosted on 202.xx.xxx.55 & 59 & not in 172.16.16.52.

Warm regards
king

Author

Commented:
According to me InteraX has the capability to understand the magnitude of the problem & can solve it very beautifully.

Thanks a lot InteraX again & again....But there r few more doubts which am going to ask u soon.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial