?
Solved

Changing NAT translations on a Cisco firewall

Posted on 2012-08-26
3
Medium Priority
?
696 Views
Last Modified: 2012-08-26
Im doing a server migration this week and admittedly my CLIfu is a little rusty. Heres a (hopefully sanitized) dump of the running config

: Saved
:
ASA Version 8.2(1) 
!
hostname Company-asa
domain-name default.domain.invalid
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.231 255.255.255.224 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
<--- More --->
              
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
 
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any eq pop3 interface outside eq pop3 
access-list outside_access_in extended permit tcp any eq pop3 host 192.168.0.3 eq pop3 
access-list outside_access_in extended permit tcp any host 192.168.0.3 eq https 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq pop3 
access-list outside_access_in extended permit tcp any eq 3389 host 192.168.0.3 eq 3389 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list CompanyVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.128 
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging facility 23
logging host inside 192.168.0.2
logging debug-trace
logging class auth trap notifications 
logging class session trap notifications 

logging class sys trap notifications 
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPool 172.16.1.50-172.16.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 192.168.0.3 pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.0.3 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.0.3 https netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server CompanyAC protocol radius
aaa-server CompanyAC (inside) host 192.168.0.3
 key Companykey
 radius-common-pw Companykey
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.0.100-192.168.0.150 inside
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd wins 192.168.0.2 interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 port 445
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
group-policy CompanyVPN internal
group-policy CompanyVPN attributes
 wins-server value 192.168.0.3
 dns-server value 192.168.0.3
 vpn-tunnel-protocol IPSec svc 
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CompanyVPN_splitTunnelAcl
 default-domain value Company.local
 webvpn
  svc keepalive 60
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
  deny-message value Login was successful, but because certain criteria have not
username VPNuser password xxxxxxxxxx encrypted privilege 0
tunnel-group CompanyVPN type remote-access
tunnel-group CompanyVPN general-attributes
 address-pool VPNPool
 authentication-server-group CompanyAC
 default-group-policy CompanyVPN
tunnel-group CompanyVPN ipsec-attributes
 pre-shared-key *
tunnel-group CompanyAC type remote-access
tunnel-group CompanyAC general-attributes
 address-pool VPNPool
 authentication-server-group CompanyAC
 default-group-policy CompanyVPN
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 

Open in new window


Pretty much I need to make sure ports 25, 80, 443, and 997 are NAT'd to the new server, which is 192.168.0.7, while removing the lines pointing to the old server at .3. Who can give me the commands. I'll be telneting into the firewall and I know the enable password, so mostly Im looking for the commands that go after conf t...  I could probably look these up, but Ive lost a lot of time to a storm, so Im hoping one of you can knock this out quick.
0
Comment
Question by:Eric_Price
  • 2
3 Comments
 
LVL 1

Author Comment

by:Eric_Price
ID: 38334727
Any other comments about security related issues would be of interest too. Ill be shutting down port 3389 when Im done.
0
 
LVL 7

Accepted Solution

by:
unfragmented earned 2000 total points
ID: 38335228
Looks like a pretty simple find and replace jobby to me:-

Fix Access Lists:

access-list outside_access_in extended permit tcp any host 192.168.0.7 eq smtp
access-list outside_access_in extended permit tcp any host 192.168.0.7 eq 222
access-list outside_access_in extended permit tcp any host 192.168.0.7 eq pop3
access-list outside_access_in extended permit tcp any host 192.168.0.7 eq https
access-list outside_access_in extended permit tcp any host 192.168.0.7 eq 997

no access-list outside_access_in extended permit tcp any eq pop3 host 192.168.0.3 eq pop3
no access-list outside_access_in extended permit tcp any host 192.168.0.3 eq https
no access-list outside_access_in extended permit tcp any eq 3389 host 192.168.0.3 eq 3389


Fix NATs:

no static (inside,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255
no static (inside,outside) tcp interface pop3 192.168.0.3 pop3 netmask 255.255.255.255
no static (inside,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255
no static (inside,outside) tcp interface 3389 192.168.0.3 3389 netmask 255.255.255.255
no static (inside,outside) tcp interface https 192.168.0.3 https netmask 255.255.255.255
 
static (inside,outside) tcp interface smtp 192.168.0.7 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.0.7 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.0.7 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.7 https netmask 255.255.255.255

clear xlate (you might need to do this to ensure any old xlates are flushed and pickup the new server.  Warning - this does reset all connections through the firewall)


Also note that you have the following lines in your config which may need attention (Looks like Radius, WINS and DNS for your VPN connections).

aaa-server CompanyAC (inside) host 192.168.0.3
 key Companykey
 radius-common-pw Companykey
group-policy CompanyVPN attributes
 wins-server value 192.168.0.3
 dns-server value 192.168.0.3

As you said you were doing a server migration, these will probably need to be updated:-

no aaa-server CompanyAC (inside) host 192.168.0.3
aaa-server CompanyAC (inside) host 192.168.0.7
 key Companykey
 radius-common-pw Companykey
group-policy CompanyVPN attributes
 wins-server value 192.168.0.7
 dns-server value 192.168.0.7


wr mem to finish it off.

I think that should be all of it.
0
 
LVL 1

Author Closing Comment

by:Eric_Price
ID: 38335299
Thanks for that. I had gone ahead and worked some of it out that I had to, but its nice to see a) that I had assumed / remembered correctly and that b) you pointed out a couple of things I hadnt really been paying attention to.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question