Solved

Looking for best way to access internal web server through Cisco ASA5505 without dedicated public IP

Posted on 2010-11-14
6
856 Views
Last Modified: 2012-05-10
We have a Moodle website using Windows on a server in our network. We want to give access to users working from home with the least amount of end user configuration/intervention. We use a Cisco ASA5505 for firewall/vpn access.

We have created routes to other websites/servers within the LAN through the firewall for some apps using public IPs, but we've used up the pool and are looking for other ways to route traffic to this web app without provisioning more public IPs.

We're looking for suggestions.
0
Comment
Question by:Shannon Mollenhauer
  • 3
  • 2
6 Comments
 
LVL 8

Accepted Solution

by:
ShareefHuddle earned 125 total points
Comment Utility
You can use pat to point protocols to each ip and then change the port number for your Moodle website
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
What I would suggest doing is overloading some of those services with PAT as shareef said... however, it might be most effective to use the IPs of some servers where you aren't using the port that moodle uses.. for example, you can direct different ports to different servers using the same public IP. Here is the Cisco article describing how to do this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Cheers!
0
 

Assisted Solution

by:Shannon Mollenhauer
Shannon Mollenhauer earned 0 total points
Comment Utility
I'm trying the PAT concept. I have my Moodle server configured to listen on port 85 and that works when I access the site from a PC on the LAN by pointing my browser to lms.mmiofil.com:85.

However, when I try to access using an external PC using 75.150.244.106:85 I can't get through ("webpage cannot be displayed").

I set up the following commands on the ASA similar to a set of commands previously used to redirect port 84 to another webserver on the LAN:

name 192.168.10.90 lms description Moodle Server
access-list outside_in extended permit tcp any interface outside eq 85
static (inside,outside) tcp interface 85 lms www netmask 255.255.255.255

Could this be failing because of something on the web server or in my Active Directory domain's DNS?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Can you give me the whole config and the IPs/ports of the servers that need to be accessed?
0
 

Author Comment

by:Shannon Mollenhauer
Comment Utility
I've clipped a few items, but this is most of the ASA running config.

We are trying to access a couple of different internal web servers using ports 84 and 85. The port 84 redirect to 192.168.10.60 (aka "wto-in") already works - was set up before I came on board. The new one is 192.168.10.90 (aka lms) is the one I want redirected on port 85.

The inbound public IP we're trying to redirect is 75.150.244.106. What is supposed to happen is simply redirecting requests for 75.150.244.106:85 to internal 192.168.10.90:85

Internally, I can use the IP 192.168.10.90:85 or the name lms.mmi.local:85 or lms.mmiofil.com:85 or lms.mmiintranet.com:85 to reach the site. I have DNS entries for all of them in AD's DNS.
: Saved
:
ASA Version 8.0(4) 
!
hostname mmi-asa
domain-name mmi.local
names
name 192.168.10.13 exchange-in
name 75.150.244.108 exchange-out
name 63.252.237.187 web-out-T1
name 63.252.237.188 advocate-out-T1
name 63.252.237.189 exchange-out-T1
name 75.150.244.107 advocate-out
name 192.168.10.156 advocate-in
name 192.168.10.12 web-in
name 192.168.10.60 wto-in
name 64.18.0.0 Postini-Servers
name 192.168.10.61 Xbackup-in
name 75.150.244.109 Xbackup-out
name 192.168.10.50 wordpress-in
name 75.150.244.105 wordpress-out
name 192.168.10.90 lms description Moodle Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.201.2 255.255.255.252 
 ospf cost 10
!
interface Vlan2
 backup interface Vlan3
 nameif outside
 security-level 0
 ip address 75.150.244.106 255.255.255.248 
 ospf cost 10
!
interface Vlan3
 nameif backup
 security-level 0
 ip address 63.252.237.186 255.255.255.248 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.87.72.130
 name-server 68.87.77.130
 domain-name mmi.local
object-group service 3X tcp
 port-object eq 444
 port-object eq 5543
 port-object eq ssh
object-group service LMS85 tcp
 description Access to Moodle server on port 85
 port-object eq 85
access-list inside_in extended permit ip any any 
access-list outside_in extended permit icmp any any 
access-list outside_in extended permit tcp any interface outside eq www 
access-list outside_in extended permit tcp any interface outside eq 84 
access-list outside_in remark Moodle access
access-list outside_in extended permit tcp any interface outside eq 85 
access-list outside_in extended permit tcp host 173.9.221.230 host exchange-out eq smtp 
access-list outside_in extended permit tcp Postini-Servers 255.255.240.0 host exchange-out eq smtp 
access-list outside_in extended permit tcp any host exchange-out eq https 
access-list outside_in extended permit tcp any host exchange-out eq www 
access-list outside_in extended permit tcp any host advocate-out eq ssh 
access-list outside_in extended permit tcp any host advocate-out eq https 
access-list outside_in extended permit tcp any host Xbackup-out object-group 3X 
access-list outside_in extended permit tcp any host wordpress-out eq www 
access-list s2s-reno extended permit ip 192.168.100.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list s2s-reno extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list nonat extended permit ip any 192.168.200.0 255.255.255.192 
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.11.0 255.255.255.0 
access-list split standard permit 192.168.10.0 255.255.255.0 
access-list split standard permit 192.168.11.0 255.255.255.0 
access-list split standard permit 192.168.1.0 255.255.255.0 
access-list split standard permit 192.168.100.0 255.255.255.0 
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.11.0 255.255.255.0 
access-list backup_in extended permit tcp Postini-Servers 255.255.240.0 host 63.252.237.186 eq smtp 
access-list backup_in extended permit tcp any host 63.252.237.186 eq https 
access-list backup_in extended permit tcp any host 63.252.237.186 eq www 
access-list backup_in extended permit icmp any any 
access-list backup_in extended permit tcp any host web-out-T1 eq www 
access-list backup_in extended permit tcp any host advocate-out-T1 eq ssh 
access-list backup_in extended permit tcp any host advocate-out-T1 eq https 
access-list backup_in extended permit tcp Postini-Servers 255.255.240.0 host exchange-out-T1 eq smtp 
access-list backup_in extended permit tcp any host exchange-out-T1 eq https 
access-list backup_in extended permit tcp any host exchange-out-T1 eq www 
access-list backup_in extended permit tcp any host web-out-T1 eq 84 
access-list outside_cryptomap_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list outside_cryptomap_4 extended permit ip 192.168.10.0 255.255.255.0 host 192.168.11.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
ip local pool vpnpool 192.168.200.1-192.168.200.62 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www web-in www netmask 255.255.255.255 
static (inside,outside) tcp interface 84 wto-in www netmask 255.255.255.255 
static (inside,outside) tcp interface 85 lms www netmask 255.255.255.255 
static (inside,backup) tcp web-out-T1 www web-in www netmask 255.255.255.255 
static (inside,backup) tcp web-out-T1 84 wto-in www netmask 255.255.255.255 
static (inside,backup) tcp web-out-T1 85 lms www netmask 255.255.255.255 
static (inside,outside) tcp wordpress-out www wordpress-in www netmask 255.255.255.255 
static (inside,outside) tcp Xbackup-out www Xbackup-in www netmask 255.255.255.255 
static (outside,inside) exchange-in exchange-out netmask 255.255.255.255 
static (backup,inside) exchange-in exchange-out-T1 netmask 255.255.255.255 
static (inside,outside) exchange-out exchange-in netmask 255.255.255.255 
static (inside,outside) advocate-out advocate-in netmask 255.255.255.255 
static (inside,backup) advocate-out-T1 advocate-in netmask 255.255.255.255 
static (inside,backup) exchange-out-T1 exchange-in netmask 255.255.255.255 
access-group inside_in in interface inside
access-group outside_in in interface outside
access-group backup_in in interface backup
route outside 0.0.0.0 0.0.0.0 75.150.244.110 1 track 1
route backup 0.0.0.0 0.0.0.0 63.252.237.185 254
route outside 192.168.1.0 255.255.255.0 98.214.69.4 1
route inside 192.168.10.0 255.255.255.0 192.168.201.1 1
route outside 192.168.11.0 255.255.255.0 71.94.19.13 1
route inside 192.168.100.0 255.255.255.0 192.168.201.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 192.168.200.0 255.255.255.0 inside
http 192.168.201.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 12.106.104.19 255.255.255.255 outside
http 12.106.104.19 255.255.255.255 backup
http 173.9.221.230 255.255.255.255 backup
http 173.9.221.230 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
 type echo protocol ipIcmpEcho 68.85.176.62 interface outside
 num-packets 3
 frequency 30
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer 98.214.69.4 
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap
crypto map outside_map 3 set pfs 
crypto map outside_map 3 set peer 75.140.36.246 
crypto map outside_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 ESP
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 1 reachability
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy MMIVPN internal
group-policy MMIVPN attributes
 wins-server value 192.168.10.10 192.168.10.11
 dns-server value 192.168.10.10 192.168.10.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value mmi.local
tunnel-group 75.140.36.246 type ipsec-l2l
tunnel-group 75.140.36.246 ipsec-attributes
 pre-shared-key *
tunnel-group 71.94.1.162 type ipsec-l2l
tunnel-group 71.94.1.162 ipsec-attributes
 pre-shared-key *
tunnel-group MMIVPN type remote-access
tunnel-group MMIVPN general-attributes
 address-pool vpnpool
 default-group-policy MMIVPN
tunnel-group MMIVPN ipsec-attributes
 pre-shared-key *
tunnel-group 71.94.30.221 type ipsec-l2l
tunnel-group 71.94.30.221 ipsec-attributes
 pre-shared-key *
tunnel-group 71.80.215.156 type ipsec-l2l
tunnel-group 71.80.215.156 ipsec-attributes
 pre-shared-key *
tunnel-group 98.214.69.4 type ipsec-l2l
tunnel-group 98.214.69.4 ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:ac8f991b25402e50cc7e6cf43e097743
: end

Open in new window

0
 

Author Closing Comment

by:Shannon Mollenhauer
Comment Utility
I changed the port the Apache/Moodle server was listening to back to 80 and the redirects work fine. I guess the redirect of port 85 is not needed on the receiving web server, just has to be seen by the ASA to decide that the HTTP traffic goes to a different IP.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now