Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2302
  • Last Modified:

Cisco ASA 5505 External IP Address Pass Through

Hi, How do I configure the ASA to pass through an unused external IP address we have to an internal address?
0
radiosupport
Asked:
radiosupport
  • 14
  • 9
  • 7
3 Solutions
 
Istvan KalmarCommented:
Hi,

you need to configure a pat:

http://www.petenetlive.com/KB/Article/0000316.htm

If you don't want to configure DMZ you able to make the static nat to inside address also!

Best regards,
Istvan
0
 
Ernie BeekCommented:
If you want to link the public address 1 to 1 to one address on the inside you can set up a static and determine which ports are allowed through by means of an access list.
If you want to forward ports to different internal addresses, you can use PAT (a static command with the specific port defined) in combination with an access list.
The exact way you configure it depends on the version of the software. As of 8.3 there are some major changes in the way that is set up.
0
 
radiosupportAuthor Commented:
Thanks running 8.0(3)..

I want to allow an external IP address to be passed through to a device already on our network. That is to say that I cant physically plug it into a DMZ interface.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
Ernie BeekCommented:
Well basically you need to set up a static:

static (inside,outside) public_address private_address netmask 255.255.255.255

And allow ports to get through (for example smtp):

Access-list outside permit tcp any host public_address
access-group outside in interface outside

That should do it.
0
 
radiosupportAuthor Commented:
Thank you. Is there a way to just pass all traffic through? (all ports)
0
 
Ernie BeekCommented:
Oops, typo:

Should be:
Access-list outside permit tcp any host public_address eq 25

Also I assumed your interfaces are called inside and outside.
0
 
Ernie BeekCommented:
Ehr, why do that?

I mean, what's the use of putting it behind a firewall and then opening up everything.

Not to mention the security risks. this machine is on your inside network. Opening everything up makes it very easy to compromise and the server will share all of his knowledge of your network with anyone who asks (bcause all ports are open).

I don't think that's a good idea. As a matter of fact I think that is a very BAD idea. The least you need to do then is put it in a DMZ (but you said you couldn't :-~ )
0
 
radiosupportAuthor Commented:
Hi,

Because another router/firewall will be on the end of it! Basically we're part of an MPLS network here. With this site being the gateway. I want to assign an external IP address to a router at another site..
0
 
Ernie BeekCommented:
Ok, in that case I didn't say anything ;)

Then make an access list like this:
Access-list outside permit ip any host public_address
0
 
Istvan KalmarCommented:
please show the whole config, and we put the commands, that you need...
0
 
radiosupportAuthor Commented:
Where would i see Access-list outside permit ip any host public_address  in the ASDM?

It's taken the command OK, I just can't see it anywhere!
0
 
Ernie BeekCommented:
Should be somewhere in: configuration->firewall->access rules
0
 
Ernie BeekCommented:
did you also isuue the: access-group outside in interface outside ?
0
 
radiosupportAuthor Commented:
OK, this is working now somewhat.. if I view the public IP address in a web browser, I get the web interface of the local device. So that's working.

If i try and VNC to it for example, it doesn't work. In the access list, i've set allow IP, as recommended above
0
 
Istvan KalmarCommented:
if you set IP address it needs to be work...
did you "clear xlate" after that you configured static nat?
0
 
Ernie BeekCommented:
Do you happen to have an access list on the inside? Or is the other firewall blocking ports?
0
 
radiosupportAuthor Commented:
OK, another update.. it seems to work without any access list entries setup for it. (http that is)

Am I doing something wrong? if so, which part of the config would you need to see?
0
 
Ernie BeekCommented:
Well,a more or less complete sanitized config would be nice :)
0
 
Istvan KalmarCommented:
without passwords....
0
 
radiosupportAuthor Commented:
Here you go.. the line with, THIS LINE is the IP in question..

------------------ show running-config ------------------

: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name officedomain.local
enable password <removed>
names
name 10.9.62.1 server1
name 10.9.62.87 server2
name 10.92.183.0 siteb
name 10.9.64.0 Remoteaccess
name 10.9.62.244 codec
name 10.9.63.0 sitec
name 192.168.0.0 sited
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 10.9.62.3 255.255.255.0
 ospf cost 10
!
interface Vlan2
 description Outside
 nameif outside
 security-level 50
 ip address X.X.X.X 255.255.255.248
 ospf cost 10
!
interface Vlan3
 description WAP
 no forward interface Vlan1
 nameif WAP
 security-level 50
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd <removed>
boot system disk0:/asa803-k8.bin
no ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup WAP
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name officedomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
 description Allow TCP inbound connections
 port-object eq smtp
 port-object eq pptp
 port-object eq https
 port-object eq www
 port-object eq echo
 port-object eq 3389
 port-object eq lotusnotes
 port-object eq ftp
 port-object eq ftp-data
 port-object eq 5900
 port-object eq 21552
object-group protocol MyProtocolServices
 protocol-object gre
object-group service MyUDPConnections udp
 port-object range 4500 4500
 port-object eq isakmp
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq www
 service-object udp eq www
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service codec tcp
 description codec
 port-object range 50011 50046
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq ident
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit object-group DM_INLINE_SERVICE_1 any any
access-list acl_out extended permit tcp any any object-group DM_INLINE_TCP_1
access-list acl_out extended permit tcp any any eq 8099
access-list acl_out remark server2
access-list acl_out extended permit tcp any any eq 2222
access-list acl_out remark server2
access-list acl_out extended permit tcp any any eq 8100
access-list acl_out remark codec
access-list acl_out extended permit tcp any any eq 52000
access-list acl_out remark codec
access-list acl_out extended permit tcp any any eq 52001
access-list acl_out extended permit tcp any any eq 8000 inactive
access-list acl_out extended deny ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list OriginalSol_splitTunnelAcl remark London
access-list OriginalSol_splitTunnelAcl standard permit sited 255.255.255.0
access-list OriginalSol_splitTunnelAcl remark siteb
access-list OriginalSol_splitTunnelAcl standard permit sitec 255.255.255.0
access-list global_mpc extended permit tcp any any eq pptp
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 Remoteaccess 255.255.255.0
access-list inside_nat0_outbound extended permit ip sited 255.255.255.0 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 sited 255.255.255.0
access-list inside_nat0_outbound extended permit ip sitec 255.255.255.0 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 sitec 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 siteb 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Remoteaccess 255.255.255.128
access-list outside_dyn_map extended permit ip 10.9.62.0 255.255.255.0 Remoteaccess 255.255.255.0
access-list inside_access_in_1 remark Send SMTP
access-list inside_access_in_1 extended permit tcp host server1 any eq smtp
access-list inside_access_in_1 remark Block all other SMTP
access-list inside_access_in_1 extended deny tcp any any eq smtp
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended deny ip any any inactive
access-list inside_access_in_1 extended permit ip any sited 255.255.255.0
access-list inside_access_in_1 extended permit ip sited 255.255.255.0 any
access-list waptoInside extended permit ip any any
access-list WAP_access_in extended permit ip any any
access-list WAPtoInside extended permit ip any any
access-list outside_1_cryptomap extended permit ip 10.9.62.0 255.255.255.0 siteb 255.255.255.0
access-list VPN-Networks extended permit ip any 10.9.62.0 255.255.255.0
access-list VPN-Networks extended permit ip any sited 255.255.255.0
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu WAP 1500
ip local pool ippool2 10.9.64.1-10.9.64.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (WAP) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www server1 www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 server1 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp server1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data server1 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp server1 ftp netmask 255.255.255.255
static (inside,outside) tcp interface https server1 https netmask 255.255.255.255
static (inside,outside) tcp interface 8099 server2 www netmask 255.255.255.255
static (inside,outside) tcp interface 2222 server2 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 8100 server2 8100 netmask 255.255.255.255
static (inside,outside) tcp interface 52000 codec 52000 netmask 255.255.255.255
static (inside,outside) tcp interface 52001 codec 52001 netmask 255.255.255.255
static (inside,outside) X.X.X.X 10.9.62.11 netmask 255.255.255.255 - THIS LINE
access-group acl_out in interface outside
access-group WAPtoInside in interface WAP
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside sitec 255.255.255.0 10.9.62.254 1
route inside sited 255.255.255.0 10.9.62.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
http 10.9.62.0 255.255.255.0 inside
http Remoteaccess 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 match address outside_dyn_map
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 213.83.125.87
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment self
 fqdn remote.officedomain.co.uk
 subject-name CN=remote.officedomain.co.uk
 keypair sslvpnkeypair
 crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.9.62.0 255.255.255.0 inside
telnet Remoteaccess 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.4-192.168.1.254 WAP
dhcpd dns 208.67.222.222 208.67.222.220 interface WAP
dhcpd enable WAP
!

threat-detection basic-threat
threat-detection statistics
ntp server 10.9.62.11 source inside
!
class-map inspection_default
 match access-list global_mpc
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect ftp
!
service-policy global_policy global
smtp-server
prompt hostname context
Cryptochecksum:f06372e98d01fded2779654e5e195401
: end
0
 
Istvan KalmarCommented:
you need to add this line:
 for VNC
access-list acl_out extended permit tcp any any eq 3389

this line is not need:
no access-list acl_out extended deny ip any any
0
 
Ernie BeekCommented:
I am missing Access-list acl_out permit ip any host X.X.X.X

That's the outside accesslist allready in place.
0
 
Ernie BeekCommented:
Oh and remove the access-list acl_out extended deny ip any any

There allways is an implicit 'deny all' at the end of an access list.
0
 
Ernie BeekCommented:
Mm, I see an echo :)
0
 
Istvan KalmarCommented:
:)
0
 
radiosupportAuthor Commented:
Thanks guys, will give that a go now.. I put the access-list acl_out extended deny ip any any
in as i couldnt see a way of logging the implicit rule..unless there is a way?
0
 
Ernie BeekCommented:
The newer (or newest) ASDM version does show them.
0
 
radiosupportAuthor Commented:
Brilliant stuff guys.. thanks so much, that worked perfectly! Thanks a lot
0
 
Ernie BeekCommented:
Glad we could help :)
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 14
  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now