kingshuksinha
asked on
ASA 5510
Dear all,
Scenario is: (user traffic from outside) internet---->router-->(20x .xx.xxx.27 )ASA5510 7.(2), ASDM ver 5.2----->DMZ. In dmz 3 servers r present with different ip add. series is 172.16.16.50 to 172.16.16.59. our webserver is 172.16.16.52 hosting different services like www,8080,21,5080 & am able to access each services from outside using the ip 20x.xx.xxx.27).Its a free ip address from ISP. But my question is am having other servers like 172.16.16.55,172.16.16.56, 172.16.16. 59 each hosting other services & unable to access these services from 20x.xx.xxx.27.
with one single public ip add. want to access all the servers present in DMZ using ASDM 5.2 or CLI. but right now if i static NAT its overlapping. please provide me a solution..its very urgent..
Scenario is: (user traffic from outside) internet---->router-->(20x
with one single public ip add. want to access all the servers present in DMZ using ASDM 5.2 or CLI. but right now if i static NAT its overlapping. please provide me a solution..its very urgent..
With one public ip, only one server and one service can be natted on a firewall...suppose if one webserver is using port 80 and one smtp server is using port 25 then we can nat both these server on public ip address....but if there are two webservers using port 80 then you will need two public ip address to host them on a public network...for resolution of your issue ....kindly post your firewall configuration...
What you want to do sounds achievable. It would be good to see your current NAT rule to identify the problem. If you are using a 1 to 1 NAT, you will need to remove this and setup seperate PAT's for each of the services on the existing NAT that are in use. Then you can add different PAT's for each of the new services.
Depending on if the servers are initiating connections, you will need to setup a dynamic nat for the outbound traffic aswell.
I suspect you may have the following.
static (DMZ,outside) 20x.xx.xxx.27 172.16.16.52 netmask 255.255.255.255
Try changing this to
static (DMZ,outside) tcp 20x.xx.xxx.27 80 172.16.16.52 80 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 21 172.16.16.52 21 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 8080 172.16.16.52 8080 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 5080 172.16.16.52 5080 netmask 255.255.255.255
Then you should be able to add the PAT's for the other services. The IP 20x.xx.xxx.27 may be replaced with the interface keyword.
Depending on if the servers are initiating connections, you will need to setup a dynamic nat for the outbound traffic aswell.
I suspect you may have the following.
static (DMZ,outside) 20x.xx.xxx.27 172.16.16.52 netmask 255.255.255.255
Try changing this to
static (DMZ,outside) tcp 20x.xx.xxx.27 80 172.16.16.52 80 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 21 172.16.16.52 21 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 8080 172.16.16.52 8080 netmask 255.255.255.255
static (DMZ,outside) tcp 20x.xx.xxx.27 5080 172.16.16.52 5080 netmask 255.255.255.255
Then you should be able to add the PAT's for the other services. The IP 20x.xx.xxx.27 may be replaced with the interface keyword.
ASKER
Dear Interax,
Please check the config. whatever u said its working.what i need is from 20x.xx.xxx.27 ip i want to access other servers present in DMZ i.e.,172.16.16.55 hosting different services as well as 172.16.16.52. How to do this? wheather it is possible or not? if yes then how?
warm regards
king
AGNI# sh run
: Saved
:
ASA Version 7.2(1)
!
hostname AGNI
domain-name default.domain.invalid
enable password 7RXhoo7jvAq1B7f7 encrypted
names
dns-guard
!
interface Ethernet0/0
description Connected to WAN
nameif outside
security-level 0
ip address 202.xx.xxx.30 255.255.255.248
!
interface Ethernet0/1
nameif
security-level
ip address
!
interface Ethernet0/2
description Connected to DMZ
nameif dmz
security-level 50
ip address 172.xx.xx.47 255.255.0.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd 7RXhoo7jvAq1B7f7 encrypted
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service bugzilla tcp
port-object range 8080 8080
object-group service MySQL tcp
port-object range 3306 3306
object-group service VideoConference tcp
description Aparoksha
port-object range 5080 5080
port-object range 8080 8080
port-object range 1935 1935
object-group service OTRS tcp
description CoOptions Open Source Ticketing Server
port-object range 1935 1935
port-object range 5080 5080
access-list nonat extended permit ip host 172.16.16.52 any
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ft
p
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ft
p-data
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ww
w
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 range
8080 8081
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq 50
80
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq 19
35
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.29 objec
t-group VideoConference
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ch
argen
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.28 objec
t-group VideoConference
access-list outside_access-in extended permit tcp any host 202.xx.xxx.29 eq www
access-list outside_access_in extended permit tcp any host 202.xx.xxx.29 eq ftp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host 172.16.16.52 host 192.168.100
.9 object-group MySQL
logging enable
logging trap informational
logging asdm informational
logging facility 22
logging message 103012 level alerts
mtu outside 1500
mtu Inside 1500
mtu dmz 1500
ip verify reverse-path interface outside
asdm image disk0:/asdm521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 172.16.0.0 255.255.0.0
alias (dmz) 172.xx.xx.53 202..xx.xx..29 255.255.255.255
static (dmz,outside) 202.xx.xxx.27 172.xx.xx.52 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.29 172.xx.xx.55 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.28 172..xx.xx..56 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
access-group Inside_access_in in interface Inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 202.63.102.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
http server enable
http 172..xx.xx..52 255.255.255.255 dmz parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
tftp-server dmz 172.16.16.52 C:\CiscoKits\TFTPServer
webvpn
prompt hostname context
Cryptochecksum:48bb22ca3f6 66410c78be 5eb39169d4 1
: end
AGNI#
Please check the config. whatever u said its working.what i need is from 20x.xx.xxx.27 ip i want to access other servers present in DMZ i.e.,172.16.16.55 hosting different services as well as 172.16.16.52. How to do this? wheather it is possible or not? if yes then how?
warm regards
king
AGNI# sh run
: Saved
:
ASA Version 7.2(1)
!
hostname AGNI
domain-name default.domain.invalid
enable password 7RXhoo7jvAq1B7f7 encrypted
names
dns-guard
!
interface Ethernet0/0
description Connected to WAN
nameif outside
security-level 0
ip address 202.xx.xxx.30 255.255.255.248
!
interface Ethernet0/1
nameif
security-level
ip address
!
interface Ethernet0/2
description Connected to DMZ
nameif dmz
security-level 50
ip address 172.xx.xx.47 255.255.0.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd 7RXhoo7jvAq1B7f7 encrypted
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service bugzilla tcp
port-object range 8080 8080
object-group service MySQL tcp
port-object range 3306 3306
object-group service VideoConference tcp
description Aparoksha
port-object range 5080 5080
port-object range 8080 8080
port-object range 1935 1935
object-group service OTRS tcp
description CoOptions Open Source Ticketing Server
port-object range 1935 1935
port-object range 5080 5080
access-list nonat extended permit ip host 172.16.16.52 any
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ft
p
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ft
p-data
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ww
w
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 range
8080 8081
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq 50
80
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq 19
35
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.29 objec
t-group VideoConference
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.27 eq ch
argen
access-list outside_access_in_1 extended permit tcp any host 202.xx.xxx.28 objec
t-group VideoConference
access-list outside_access-in extended permit tcp any host 202.xx.xxx.29 eq www
access-list outside_access_in extended permit tcp any host 202.xx.xxx.29 eq ftp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host 172.16.16.52 host 192.168.100
.9 object-group MySQL
logging enable
logging trap informational
logging asdm informational
logging facility 22
logging message 103012 level alerts
mtu outside 1500
mtu Inside 1500
mtu dmz 1500
ip verify reverse-path interface outside
asdm image disk0:/asdm521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 172.16.0.0 255.255.0.0
alias (dmz) 172.xx.xx.53 202..xx.xx..29 255.255.255.255
static (dmz,outside) 202.xx.xxx.27 172.xx.xx.52 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.29 172.xx.xx.55 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.28 172..xx.xx..56 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
access-group Inside_access_in in interface Inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 202.63.102.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
http server enable
http 172..xx.xx..52 255.255.255.255 dmz parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
tftp-server dmz 172.16.16.52 C:\CiscoKits\TFTPServer
webvpn
prompt hostname context
Cryptochecksum:48bb22ca3f6
: end
AGNI#
These are 1 to 1 nat's.
static (dmz,outside) 202.xx.xxx.27 172.xx.xx.52 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.29 172.xx.xx.55 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.28 172..xx.xx..56 netmask 255.255.255.255
What you need to do is use PAT.
What ports on what servers do you need to publish?
static (dmz,outside) 202.xx.xxx.27 172.xx.xx.52 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.29 172.xx.xx.55 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.28 172..xx.xx..56 netmask 255.255.255.255
What you need to do is use PAT.
What ports on what servers do you need to publish?
Do you own .29 & .28?
ASKER
Dear InteraX,
Sir can we do like this
static (dmz,outside) 202.xx.xxx.27 172.xx.xx.52 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.27 172.xx.xx.55 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.27 172..xx.xx..56 netmask 255.255.255.255
Sir all i want is that 172.16.16.52, 55, 56 should be accessible using one public ip ie,202.xx.xxx.27
how to do PAT.
What ports on what servers do you need to publish?
we own .29 & .28 but due to video conferencing & others.
Sir can we do like this
static (dmz,outside) 202.xx.xxx.27 172.xx.xx.52 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.27 172.xx.xx.55 netmask 255.255.255.255
static (dmz,outside) 202.xx.xxx.27 172..xx.xx..56 netmask 255.255.255.255
Sir all i want is that 172.16.16.52, 55, 56 should be accessible using one public ip ie,202.xx.xxx.27
how to do PAT.
What ports on what servers do you need to publish?
we own .29 & .28 but due to video conferencing & others.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear InteraX,
Thanks a lot for all ur inputs...Appeciate ur answers...
Actually i was in doubt wheather to add PAT or not because in ACL it is already mentioned...
Late according to u i changed & its working fine....
If u dont mind i ve one more doubt....
tk for example i ve 202.xx.xxx.29 & 28 public ip's with different services hosted on 172.16.16.55 & 59 in dmz.
can we redirect the traffic to 202.xx.xxx.27. According to me its not possible.isn't it cos the services r hosted on 202.xx.xxx.55 & 59 & not in 172.16.16.52.
Warm regards
king
Thanks a lot for all ur inputs...Appeciate ur answers...
Actually i was in doubt wheather to add PAT or not because in ACL it is already mentioned...
Late according to u i changed & its working fine....
If u dont mind i ve one more doubt....
tk for example i ve 202.xx.xxx.29 & 28 public ip's with different services hosted on 172.16.16.55 & 59 in dmz.
can we redirect the traffic to 202.xx.xxx.27. According to me its not possible.isn't it cos the services r hosted on 202.xx.xxx.55 & 59 & not in 172.16.16.52.
Warm regards
king
ASKER
According to me InteraX has the capability to understand the magnitude of the problem & can solve it very beautifully.
Thanks a lot InteraX again & again....But there r few more doubts which am going to ask u soon.
Thanks a lot InteraX again & again....But there r few more doubts which am going to ask u soon.