Solved

Configure ASA 5505 with a dual NAT for two web servers

Posted on 2011-03-13
8
576 Views
Last Modified: 2012-05-11
Hi Everyone,

OK, so I've got my ASA5505 functioning for internet access for computer on the inside network. Now I need to set it up so I can setup two web servers and have them NAT effectively.

One web server will be xx.xx.xx.150 and the other will be .151.

I know I need to create two NAT rules but I'm completely unsure how to configure them so that the external and internal addresses are translated correctly.

Here is the current configuration:
: Saved
:
ASA Version 7.2(4)
!
hostname XXXXXXXXXXXXXXXX
domain-name XXXXXXXXXXXXX
enable password XXXXXXXXXXXXXX
passwd XXXXXXXXXXXXXXXXXXXX
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.148 255.255.255.0
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name XXXXXXXXXXXX.com
same-security-traffic permit inter-interface
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 208.77.88.4 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1cb4f640a1d098232728c9c823e3771f
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
0
Comment
Question by:natediggscsu
  • 5
  • 3
8 Comments
 
LVL 10

Accepted Solution

by:
cstosgale earned 500 total points
ID: 35122645
you will want to use this command:-

static (inside,outside) xx.xx.xx.150 192.168.1.x

for each web server. Note that the public address is first.

You will also want to create an  access list using:-

access-list acl-outside permit tcp any host xx.xx.xx.150 eq 80

ip access-group acl-outside interface outside

This will allow port 8- traffic to your web server.
0
 
LVL 1

Author Comment

by:natediggscsu
ID: 35122738
OK, now when I try to navigate outbound on that server I get nothing and the same when I try to access port 80 on that IP address from telnet.

: Saved
:
ASA Version 7.2(4)
!
hostname X
domain-name X.com
enable password
passwd
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.148 255.255.255.0
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name fw.quintelagroup.com
same-security-traffic permit inter-interface
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
access-list inside_access_in extended permit tcp any host 192.168.1.100 object-group DM_INLINE_TCP_1 log warnings
access-list acl-outside extended permit tcp any host XX.XX.XX.XX eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) XX.XX.XX.150 192.168.1.100 netmask 255.255.255.255
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 67.223.112.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns XX.XX.XX.4 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6c0b79d602d2a88b9e64f3a60a736d68
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
0
 
LVL 1

Author Comment

by:natediggscsu
ID: 35122849
After making these changes I'm getting lots of these entries in the logs:
4      Mar 13 2011      11:02:32      106023      192.168.1.100      141.161.54.208       Deny tcp src inside:192.168.1.100/47869 dst outside:141.161.54.208/80 by access-group "inside_access_in" [0x0, 0x0]
0
 
LVL 10

Expert Comment

by:cstosgale
ID: 35125835
Ok, you have applied an access list to the inside interface that is blocking the outbound traffic. This acl is only allowing outbound web traffic to 192.168.1.100. I am guessing you have got this the wrong way round.

Also, you haven't applied the acl-outside to the outside interface. It looks like the syntax I gave you was wright, try:-

Access-group acl-outside interface outside
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:natediggscsu
ID: 35128115
OK, your command access-group acl-outside interface outside still throws up an error when I try to enter it on the command line. I used the command:
access-group acl-outside in interface outside

And it resolved the problem.

So, now one web server is getting access both internally and externally (able to connect to the web server), but I connected the other web server and still no joy. Here is the new configuration:
: Saved
:
ASA Version 7.2(4)
!
hostname XX
domain-name XX
enable password
passwd
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.148 255.255.255.0
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name fw.quintelagroup.com
same-security-traffic permit inter-interface
access-list acl-outside extended permit tcp any host XX.XX.XX.150 eq www
access-list acl-outside extended permit tcp any host XX.XX.XX.150 eq https
access-list acl-outside extended permit tcp any host XX.XX.XX.151 eq www
access-list acl-outside extended permit tcp any host XX.XX.XX.151 eq https
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) XX.XX.XX.150 192.168.1.100 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.151 192.168.1.101 netmask 255.255.255.255
access-group acl-outside in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns XX.XX.XX.4 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7256fe0b98b5db03ad8d22efd2292609
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
0
 
LVL 1

Author Comment

by:natediggscsu
ID: 35128131
I also started receiving these messages after adding the 2nd web server:
4      Mar 14 2011      09:13:26      405001                   Received ARP request collision from 192.168.2.25/0050.569d.1cb3 on interface outside
0
 
LVL 10

Expert Comment

by:cstosgale
ID: 35133713
Your config is right. I would try swapping round the public addresses and see if the second web server works with the first public address.
0
 
LVL 1

Author Comment

by:natediggscsu
ID: 35147830
Hi Everyone,

Still have a problem here. I tried this morning using the same procedure on the .151 web server that I used on the .150 web server to get it working and had a similar problem. So, I attempted to do the same thing with a nonproduction server I have in the rack. No dice.

To test what was going on, I gave the nonproduction server a static ip address (192.168.1.102). I was able to get to the internet from that server. I then set the static NAT rule and I was unable to get to the internet at all from that box.

Here is the current configuration. There must be something I'm missing:

: Saved
:
ASA Version 8.2(4)
!
hostname QG
domain-name XX.com
enable password
passwd
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.148 255.255.255.0
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!
boot system disk0:/asa824.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name fw.XXgroup.com
same-security-traffic permit inter-interface
access-list acl-outside extended permit tcp any host XX.XX.XX.150 eq www
access-list acl-outside extended permit tcp any host XX.XX.XX.150 eq https
access-list acl-outside extended permit tcp any host XX.XX.XX.151 eq www
access-list acl-outside extended permit tcp any host XX.XX.XX.151 eq https
access-list acl-outside extended permit tcp any host XX.XX.XX.153 eq www
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.1.32 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNIPs 192.168.1.35-192.168.1.44 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) XX.XX.XX150 192.168.1.100 netmask 255.255.255.255
static (inside,outside) XX.XX.XX153 192.168.1.102 netmask 255.255.255.255
access-group acl-outside in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 208.77.88.4 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc image disk0:/anyconnect-win-2.5.2019-k9.pkg 2
 svc enable
group-policy ATSAdmin internal
group-policy ATSAdmin attributes
 dns-server value 208.77.88.4 208.85.174.9
 vpn-tunnel-protocol IPSec svc webvpn
 webvpn
  url-list none
  svc keep-installer installed
  svc rekey method ssl
  svc ask enable
username qgadmin password /oHfeGQ/R.bd3KPR encrypted privilege 15
username benl password 0HNIGQNI0uruJvhW encrypted privilege 0
username benl attributes
 vpn-group-policy ATSAdmin
username kuzma password rH7MM7laoynyvf9U encrypted privilege 0
username kuzma attributes
 vpn-group-policy ATSAdmin
username nate password BXHOURyT37e4O5mt encrypted privilege 0
username nate attributes
 vpn-group-policy ATSAdmin
tunnel-group ATSAdmin type remote-access
tunnel-group ATSAdmin general-attributes
 address-pool VPNIPs
 default-group-policy ATSAdmin
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
 address-pool VPNIPs
 default-group-policy ATSAdmin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0ed0580e151af288d865f4f3603d792a
: end
asdm image disk0:/asdm-635.bin
no asdm history enable
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now