Solved

Cisco ASA 5505 External IP Address Pass Through

Posted on 2011-03-07
30
2,065 Views
Last Modified: 2012-05-11
Hi, How do I configure the ASA to pass through an unused external IP address we have to an internal address?
0
Comment
Question by:radiosupport
  • 14
  • 9
  • 7
30 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35057755
Hi,

you need to configure a pat:

http://www.petenetlive.com/KB/Article/0000316.htm

If you don't want to configure DMZ you able to make the static nat to inside address also!

Best regards,
Istvan
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35057842
If you want to link the public address 1 to 1 to one address on the inside you can set up a static and determine which ports are allowed through by means of an access list.
If you want to forward ports to different internal addresses, you can use PAT (a static command with the specific port defined) in combination with an access list.
The exact way you configure it depends on the version of the software. As of 8.3 there are some major changes in the way that is set up.
0
 

Author Comment

by:radiosupport
ID: 35058245
Thanks running 8.0(3)..

I want to allow an external IP address to be passed through to a device already on our network. That is to say that I cant physically plug it into a DMZ interface.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35058358
Well basically you need to set up a static:

static (inside,outside) public_address private_address netmask 255.255.255.255

And allow ports to get through (for example smtp):

Access-list outside permit tcp any host public_address
access-group outside in interface outside

That should do it.
0
 

Author Comment

by:radiosupport
ID: 35058371
Thank you. Is there a way to just pass all traffic through? (all ports)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35058375
Oops, typo:

Should be:
Access-list outside permit tcp any host public_address eq 25

Also I assumed your interfaces are called inside and outside.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35058420
Ehr, why do that?

I mean, what's the use of putting it behind a firewall and then opening up everything.

Not to mention the security risks. this machine is on your inside network. Opening everything up makes it very easy to compromise and the server will share all of his knowledge of your network with anyone who asks (bcause all ports are open).

I don't think that's a good idea. As a matter of fact I think that is a very BAD idea. The least you need to do then is put it in a DMZ (but you said you couldn't :-~ )
0
 

Author Comment

by:radiosupport
ID: 35058517
Hi,

Because another router/firewall will be on the end of it! Basically we're part of an MPLS network here. With this site being the gateway. I want to assign an external IP address to a router at another site..
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35058534
Ok, in that case I didn't say anything ;)

Then make an access list like this:
Access-list outside permit ip any host public_address
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35058651
please show the whole config, and we put the commands, that you need...
0
 

Author Comment

by:radiosupport
ID: 35058666
Where would i see Access-list outside permit ip any host public_address  in the ASDM?

It's taken the command OK, I just can't see it anywhere!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35059558
Should be somewhere in: configuration->firewall->access rules
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35059566
did you also isuue the: access-group outside in interface outside ?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35059639
0
 

Author Comment

by:radiosupport
ID: 35059680
OK, this is working now somewhat.. if I view the public IP address in a web browser, I get the web interface of the local device. So that's working.

If i try and VNC to it for example, it doesn't work. In the access list, i've set allow IP, as recommended above
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35059793
if you set IP address it needs to be work...
did you "clear xlate" after that you configured static nat?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35059799
Do you happen to have an access list on the inside? Or is the other firewall blocking ports?
0
 

Author Comment

by:radiosupport
ID: 35060166
OK, another update.. it seems to work without any access list entries setup for it. (http that is)

Am I doing something wrong? if so, which part of the config would you need to see?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35060174
Well,a more or less complete sanitized config would be nice :)
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35060194
without passwords....
0
 

Author Comment

by:radiosupport
ID: 35060335
Here you go.. the line with, THIS LINE is the IP in question..

------------------ show running-config ------------------

: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name officedomain.local
enable password <removed>
names
name 10.9.62.1 server1
name 10.9.62.87 server2
name 10.92.183.0 siteb
name 10.9.64.0 Remoteaccess
name 10.9.62.244 codec
name 10.9.63.0 sitec
name 192.168.0.0 sited
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 10.9.62.3 255.255.255.0
 ospf cost 10
!
interface Vlan2
 description Outside
 nameif outside
 security-level 50
 ip address X.X.X.X 255.255.255.248
 ospf cost 10
!
interface Vlan3
 description WAP
 no forward interface Vlan1
 nameif WAP
 security-level 50
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd <removed>
boot system disk0:/asa803-k8.bin
no ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup WAP
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name officedomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
 description Allow TCP inbound connections
 port-object eq smtp
 port-object eq pptp
 port-object eq https
 port-object eq www
 port-object eq echo
 port-object eq 3389
 port-object eq lotusnotes
 port-object eq ftp
 port-object eq ftp-data
 port-object eq 5900
 port-object eq 21552
object-group protocol MyProtocolServices
 protocol-object gre
object-group service MyUDPConnections udp
 port-object range 4500 4500
 port-object eq isakmp
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq www
 service-object udp eq www
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service codec tcp
 description codec
 port-object range 50011 50046
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq ident
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit object-group DM_INLINE_SERVICE_1 any any
access-list acl_out extended permit tcp any any object-group DM_INLINE_TCP_1
access-list acl_out extended permit tcp any any eq 8099
access-list acl_out remark server2
access-list acl_out extended permit tcp any any eq 2222
access-list acl_out remark server2
access-list acl_out extended permit tcp any any eq 8100
access-list acl_out remark codec
access-list acl_out extended permit tcp any any eq 52000
access-list acl_out remark codec
access-list acl_out extended permit tcp any any eq 52001
access-list acl_out extended permit tcp any any eq 8000 inactive
access-list acl_out extended deny ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list OriginalSol_splitTunnelAcl remark London
access-list OriginalSol_splitTunnelAcl standard permit sited 255.255.255.0
access-list OriginalSol_splitTunnelAcl remark siteb
access-list OriginalSol_splitTunnelAcl standard permit sitec 255.255.255.0
access-list global_mpc extended permit tcp any any eq pptp
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 Remoteaccess 255.255.255.0
access-list inside_nat0_outbound extended permit ip sited 255.255.255.0 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 sited 255.255.255.0
access-list inside_nat0_outbound extended permit ip sitec 255.255.255.0 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 sitec 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 siteb 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Remoteaccess 255.255.255.128
access-list outside_dyn_map extended permit ip 10.9.62.0 255.255.255.0 Remoteaccess 255.255.255.0
access-list inside_access_in_1 remark Send SMTP
access-list inside_access_in_1 extended permit tcp host server1 any eq smtp
access-list inside_access_in_1 remark Block all other SMTP
access-list inside_access_in_1 extended deny tcp any any eq smtp
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended deny ip any any inactive
access-list inside_access_in_1 extended permit ip any sited 255.255.255.0
access-list inside_access_in_1 extended permit ip sited 255.255.255.0 any
access-list waptoInside extended permit ip any any
access-list WAP_access_in extended permit ip any any
access-list WAPtoInside extended permit ip any any
access-list outside_1_cryptomap extended permit ip 10.9.62.0 255.255.255.0 siteb 255.255.255.0
access-list VPN-Networks extended permit ip any 10.9.62.0 255.255.255.0
access-list VPN-Networks extended permit ip any sited 255.255.255.0
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu WAP 1500
ip local pool ippool2 10.9.64.1-10.9.64.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (WAP) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www server1 www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 server1 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp server1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data server1 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp server1 ftp netmask 255.255.255.255
static (inside,outside) tcp interface https server1 https netmask 255.255.255.255
static (inside,outside) tcp interface 8099 server2 www netmask 255.255.255.255
static (inside,outside) tcp interface 2222 server2 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 8100 server2 8100 netmask 255.255.255.255
static (inside,outside) tcp interface 52000 codec 52000 netmask 255.255.255.255
static (inside,outside) tcp interface 52001 codec 52001 netmask 255.255.255.255
static (inside,outside) X.X.X.X 10.9.62.11 netmask 255.255.255.255 - THIS LINE
access-group acl_out in interface outside
access-group WAPtoInside in interface WAP
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside sitec 255.255.255.0 10.9.62.254 1
route inside sited 255.255.255.0 10.9.62.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
http 10.9.62.0 255.255.255.0 inside
http Remoteaccess 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 match address outside_dyn_map
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 213.83.125.87
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment self
 fqdn remote.officedomain.co.uk
 subject-name CN=remote.officedomain.co.uk
 keypair sslvpnkeypair
 crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.9.62.0 255.255.255.0 inside
telnet Remoteaccess 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.4-192.168.1.254 WAP
dhcpd dns 208.67.222.222 208.67.222.220 interface WAP
dhcpd enable WAP
!

threat-detection basic-threat
threat-detection statistics
ntp server 10.9.62.11 source inside
!
class-map inspection_default
 match access-list global_mpc
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect ftp
!
service-policy global_policy global
smtp-server
prompt hostname context
Cryptochecksum:f06372e98d01fded2779654e5e195401
: end
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 166 total points
ID: 35060386
you need to add this line:
 for VNC
access-list acl_out extended permit tcp any any eq 3389

this line is not need:
no access-list acl_out extended deny ip any any
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 334 total points
ID: 35060408
I am missing Access-list acl_out permit ip any host X.X.X.X

That's the outside accesslist allready in place.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35060426
Oh and remove the access-list acl_out extended deny ip any any

There allways is an implicit 'deny all' at the end of an access list.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35060439
Mm, I see an echo :)
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35060479
:)
0
 

Author Comment

by:radiosupport
ID: 35060492
Thanks guys, will give that a go now.. I put the access-list acl_out extended deny ip any any
in as i couldnt see a way of logging the implicit rule..unless there is a way?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35060497
The newer (or newest) ASDM version does show them.
0
 

Author Comment

by:radiosupport
ID: 35060553
Brilliant stuff guys.. thanks so much, that worked perfectly! Thanks a lot
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 334 total points
ID: 35060576
Glad we could help :)
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now