Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Looking for best way to access internal web server through Cisco ASA5505 without dedicated public IP

Posted on 2010-11-14
6
Medium Priority
?
871 Views
Last Modified: 2012-05-10
We have a Moodle website using Windows on a server in our network. We want to give access to users working from home with the least amount of end user configuration/intervention. We use a Cisco ASA5505 for firewall/vpn access.

We have created routes to other websites/servers within the LAN through the firewall for some apps using public IPs, but we've used up the pool and are looking for other ways to route traffic to this web app without provisioning more public IPs.

We're looking for suggestions.
0
Comment
Question by:Shannon Mollenhauer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 8

Accepted Solution

by:
ShareefHuddle earned 500 total points
ID: 34133557
You can use pat to point protocols to each ip and then change the port number for your Moodle website
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34146189
What I would suggest doing is overloading some of those services with PAT as shareef said... however, it might be most effective to use the IPs of some servers where you aren't using the port that moodle uses.. for example, you can direct different ports to different servers using the same public IP. Here is the Cisco article describing how to do this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Cheers!
0
 

Assisted Solution

by:Shannon Mollenhauer
Shannon Mollenhauer earned 0 total points
ID: 34158113
I'm trying the PAT concept. I have my Moodle server configured to listen on port 85 and that works when I access the site from a PC on the LAN by pointing my browser to lms.mmiofil.com:85.

However, when I try to access using an external PC using 75.150.244.106:85 I can't get through ("webpage cannot be displayed").

I set up the following commands on the ASA similar to a set of commands previously used to redirect port 84 to another webserver on the LAN:

name 192.168.10.90 lms description Moodle Server
access-list outside_in extended permit tcp any interface outside eq 85
static (inside,outside) tcp interface 85 lms www netmask 255.255.255.255

Could this be failing because of something on the web server or in my Active Directory domain's DNS?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34158970
Can you give me the whole config and the IPs/ports of the servers that need to be accessed?
0
 

Author Comment

by:Shannon Mollenhauer
ID: 34159478
I've clipped a few items, but this is most of the ASA running config.

We are trying to access a couple of different internal web servers using ports 84 and 85. The port 84 redirect to 192.168.10.60 (aka "wto-in") already works - was set up before I came on board. The new one is 192.168.10.90 (aka lms) is the one I want redirected on port 85.

The inbound public IP we're trying to redirect is 75.150.244.106. What is supposed to happen is simply redirecting requests for 75.150.244.106:85 to internal 192.168.10.90:85

Internally, I can use the IP 192.168.10.90:85 or the name lms.mmi.local:85 or lms.mmiofil.com:85 or lms.mmiintranet.com:85 to reach the site. I have DNS entries for all of them in AD's DNS.
: Saved
:
ASA Version 8.0(4) 
!
hostname mmi-asa
domain-name mmi.local
names
name 192.168.10.13 exchange-in
name 75.150.244.108 exchange-out
name 63.252.237.187 web-out-T1
name 63.252.237.188 advocate-out-T1
name 63.252.237.189 exchange-out-T1
name 75.150.244.107 advocate-out
name 192.168.10.156 advocate-in
name 192.168.10.12 web-in
name 192.168.10.60 wto-in
name 64.18.0.0 Postini-Servers
name 192.168.10.61 Xbackup-in
name 75.150.244.109 Xbackup-out
name 192.168.10.50 wordpress-in
name 75.150.244.105 wordpress-out
name 192.168.10.90 lms description Moodle Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.201.2 255.255.255.252 
 ospf cost 10
!
interface Vlan2
 backup interface Vlan3
 nameif outside
 security-level 0
 ip address 75.150.244.106 255.255.255.248 
 ospf cost 10
!
interface Vlan3
 nameif backup
 security-level 0
 ip address 63.252.237.186 255.255.255.248 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.87.72.130
 name-server 68.87.77.130
 domain-name mmi.local
object-group service 3X tcp
 port-object eq 444
 port-object eq 5543
 port-object eq ssh
object-group service LMS85 tcp
 description Access to Moodle server on port 85
 port-object eq 85
access-list inside_in extended permit ip any any 
access-list outside_in extended permit icmp any any 
access-list outside_in extended permit tcp any interface outside eq www 
access-list outside_in extended permit tcp any interface outside eq 84 
access-list outside_in remark Moodle access
access-list outside_in extended permit tcp any interface outside eq 85 
access-list outside_in extended permit tcp host 173.9.221.230 host exchange-out eq smtp 
access-list outside_in extended permit tcp Postini-Servers 255.255.240.0 host exchange-out eq smtp 
access-list outside_in extended permit tcp any host exchange-out eq https 
access-list outside_in extended permit tcp any host exchange-out eq www 
access-list outside_in extended permit tcp any host advocate-out eq ssh 
access-list outside_in extended permit tcp any host advocate-out eq https 
access-list outside_in extended permit tcp any host Xbackup-out object-group 3X 
access-list outside_in extended permit tcp any host wordpress-out eq www 
access-list s2s-reno extended permit ip 192.168.100.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list s2s-reno extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list nonat extended permit ip any 192.168.200.0 255.255.255.192 
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.11.0 255.255.255.0 
access-list split standard permit 192.168.10.0 255.255.255.0 
access-list split standard permit 192.168.11.0 255.255.255.0 
access-list split standard permit 192.168.1.0 255.255.255.0 
access-list split standard permit 192.168.100.0 255.255.255.0 
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.11.0 255.255.255.0 
access-list backup_in extended permit tcp Postini-Servers 255.255.240.0 host 63.252.237.186 eq smtp 
access-list backup_in extended permit tcp any host 63.252.237.186 eq https 
access-list backup_in extended permit tcp any host 63.252.237.186 eq www 
access-list backup_in extended permit icmp any any 
access-list backup_in extended permit tcp any host web-out-T1 eq www 
access-list backup_in extended permit tcp any host advocate-out-T1 eq ssh 
access-list backup_in extended permit tcp any host advocate-out-T1 eq https 
access-list backup_in extended permit tcp Postini-Servers 255.255.240.0 host exchange-out-T1 eq smtp 
access-list backup_in extended permit tcp any host exchange-out-T1 eq https 
access-list backup_in extended permit tcp any host exchange-out-T1 eq www 
access-list backup_in extended permit tcp any host web-out-T1 eq 84 
access-list outside_cryptomap_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list outside_cryptomap_4 extended permit ip 192.168.10.0 255.255.255.0 host 192.168.11.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
ip local pool vpnpool 192.168.200.1-192.168.200.62 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www web-in www netmask 255.255.255.255 
static (inside,outside) tcp interface 84 wto-in www netmask 255.255.255.255 
static (inside,outside) tcp interface 85 lms www netmask 255.255.255.255 
static (inside,backup) tcp web-out-T1 www web-in www netmask 255.255.255.255 
static (inside,backup) tcp web-out-T1 84 wto-in www netmask 255.255.255.255 
static (inside,backup) tcp web-out-T1 85 lms www netmask 255.255.255.255 
static (inside,outside) tcp wordpress-out www wordpress-in www netmask 255.255.255.255 
static (inside,outside) tcp Xbackup-out www Xbackup-in www netmask 255.255.255.255 
static (outside,inside) exchange-in exchange-out netmask 255.255.255.255 
static (backup,inside) exchange-in exchange-out-T1 netmask 255.255.255.255 
static (inside,outside) exchange-out exchange-in netmask 255.255.255.255 
static (inside,outside) advocate-out advocate-in netmask 255.255.255.255 
static (inside,backup) advocate-out-T1 advocate-in netmask 255.255.255.255 
static (inside,backup) exchange-out-T1 exchange-in netmask 255.255.255.255 
access-group inside_in in interface inside
access-group outside_in in interface outside
access-group backup_in in interface backup
route outside 0.0.0.0 0.0.0.0 75.150.244.110 1 track 1
route backup 0.0.0.0 0.0.0.0 63.252.237.185 254
route outside 192.168.1.0 255.255.255.0 98.214.69.4 1
route inside 192.168.10.0 255.255.255.0 192.168.201.1 1
route outside 192.168.11.0 255.255.255.0 71.94.19.13 1
route inside 192.168.100.0 255.255.255.0 192.168.201.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 192.168.200.0 255.255.255.0 inside
http 192.168.201.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 12.106.104.19 255.255.255.255 outside
http 12.106.104.19 255.255.255.255 backup
http 173.9.221.230 255.255.255.255 backup
http 173.9.221.230 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
 type echo protocol ipIcmpEcho 68.85.176.62 interface outside
 num-packets 3
 frequency 30
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer 98.214.69.4 
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap
crypto map outside_map 3 set pfs 
crypto map outside_map 3 set peer 75.140.36.246 
crypto map outside_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 ESP
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 1 reachability
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy MMIVPN internal
group-policy MMIVPN attributes
 wins-server value 192.168.10.10 192.168.10.11
 dns-server value 192.168.10.10 192.168.10.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value mmi.local
tunnel-group 75.140.36.246 type ipsec-l2l
tunnel-group 75.140.36.246 ipsec-attributes
 pre-shared-key *
tunnel-group 71.94.1.162 type ipsec-l2l
tunnel-group 71.94.1.162 ipsec-attributes
 pre-shared-key *
tunnel-group MMIVPN type remote-access
tunnel-group MMIVPN general-attributes
 address-pool vpnpool
 default-group-policy MMIVPN
tunnel-group MMIVPN ipsec-attributes
 pre-shared-key *
tunnel-group 71.94.30.221 type ipsec-l2l
tunnel-group 71.94.30.221 ipsec-attributes
 pre-shared-key *
tunnel-group 71.80.215.156 type ipsec-l2l
tunnel-group 71.80.215.156 ipsec-attributes
 pre-shared-key *
tunnel-group 98.214.69.4 type ipsec-l2l
tunnel-group 98.214.69.4 ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:ac8f991b25402e50cc7e6cf43e097743
: end

Open in new window

0
 

Author Closing Comment

by:Shannon Mollenhauer
ID: 34194956
I changed the port the Apache/Moodle server was listening to back to 80 and the redirects work fine. I guess the redirect of port 85 is not needed on the receiving web server, just has to be seen by the ASA to decide that the HTTP traffic goes to a different IP.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question