Solved

NAT an IP address to an internal host (public IP is not assigned to any ASA interface) - internal host is a web server

Posted on 2013-12-29
14
2,902 Views
Last Modified: 2014-01-06
Hi I was told by engineer that ASA can do this due to proxy arp. I need to nat a public IP (this public IP is ours - routes into our DMZ, The IP I wish to use is not assigned on  any active interface however)

My understanding of nat on the asa is basic - just nat (inside) (outside) interfaces etc then port eg 80

How do i achieve this without (inside) (outside) (dmz) which are interfaces. Do I just create an object and nat that  ? The IP is in the DMZ range so do I nat to  that the DMZ interface on the ASA- even though IP address is not assigned to an any server IN DMZ or asa interface. ? If so can someone provide a nat command example to follow please?
0
Comment
Question by:philb19
  • 8
  • 5
14 Comments
 

Author Comment

by:philb19
ID: 39744722
I cant use outside interface of asa as already nat this to another port 80 internal webserver

also i have many other port 80 services on a few dmz revproxy + webservers in dmz - i dont want to screw them up. - thanks
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39744759
--> I cant use outside interface of asa as already nat this to another port 80 internal webserver

You don't NAT interfaces you NAT IP addresses.  As long as you have available public IP addresses you can add another NAT.

What version of ASA firmware are you running?

Link showing different ways to do NAT based on version of ASA.

https://supportforums.cisco.com/docs/DOC-9129
0
 

Author Comment

by:philb19
ID: 39745436
Thanks ver 9.0 (2) of ASA. - yes i realize nat IP. - (outside) - is outside public IP

So you are saying I create a new  named object - give it the public IP address I want to nat.

Then nat like this

(inside) to ("new named object") source static "internal web server name " service tcp www

If I just use (outside) again - will it not override the nat/redirect i already have for another web server ?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39745450
Can you post your current NAT statement?

You can create objects for both but you don't need to.  Simple example:

object network inside-webserver
  host 192.168.1.100
nat (inside,outside) static 10.10.10.1 service tcp 80 80


This will clreate a network object called inside-webserver whois IP address i 192.168.1.100.  

It will NAT 19.2168.1.100 to 10.10.10.1 for tcp traffic flowing between the inside and outside interfaces.  All other traffic should be blocked.  If you need https then would have the additonal config:

object network inside-webserver-ssl
  host 192.168.1.100
nat (inside,outside) static 10.10.10.1 service tcp 443 443

Another link with some simple samples.

http://www.networkworld.com/news/tech/2013/011613-static-nat-cisco-asa-265898.html?page=2

You could define 10.10.10.1 as a resource object like:

object network outside-webserver
 host 10.10.10.1

and use outside-webserver instead of specifying 10.10.10.1.  The only advantage of this, is if you changed your outside IP address you just change it in the object definition instead of each of the NAT statements.
0
 

Author Comment

by:philb19
ID: 39745453
The (outside) - single public IP address is already nat'd to another internal web server.

I have another public IP -dmz range(not on any interface) that I want to nat to another internal web server
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39745458
Are you saying you have two public IP address subnets?

If so, how does the Internet know to route the second subnet to your oustide ASA interface?

Even with that, you should still be able to use NAT statement.  If the real host is on an interface called dmz, then you just say "(dmz,outside)", or if you want to use the public IP address from your internal newtork, you would say "(dmz,any)".
0
 

Author Comment

by:philb19
ID: 39745478
Hi - We have an outside interface (small range - I think 2 or 3 IPs) - 1 IP on outside interface

We have a 14 IP DMZ range. - The IP I want to use is in this 14 IP range. Only its not assigned to any server in the DMZ or on the asa dmz interface.

"Are you saying you have two public IP address subnets? - yes

If so, how does the Internet know to route the second subnet to your oustide ASA interface?

internet routes to us - for DMZ range as well as outside range - does this make sense?

- Sorry no expert on nat. - So Im ok to create an object for "DMZ public IP" - then nat statement

(inside) to ("new named object") source static "internal web server name " service tcp www   - would this work?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 57

Expert Comment

by:giltjr
ID: 39745518
O.K., just wanted to make sure I understood your setup.   I'll have to think about this.  We no longer use PIX/ASA and when we did the outside interface was on the same subnet as our public addresses.

The simplest way to do this would be to use 3 interfaces on the ASA:

Outside <---> ASA <---> Inside
                            /\
                             |
                            \/
                         DMZ

Then use your "DMZ" IP address without NAT's in the DMZ.  But let me think about this and check a few things out.
0
 

Author Comment

by:philb19
ID: 39745521
ok thanks. FYI - I have 2 to 3 TMG/ISA servers in DMZ servers already doing web publishing/http forwarding to internal (webmail as eg) - Only I dont want to use this setup again. -  I want to use asa firewall/nat (as I have done on the "outside" interface) of ASA  already.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 39745533
Reading up and looking at few posts it seems that as long as your ISP is routing your /28 to the IP address of your outside interface you should be able to do:

object network outside-webserver1
 host 10.10.10.1

object network inside-webserver1
  host 192.168.1.100
nat (inside,outside) static outside-webserver1 service tcp 80 80

Even though your outside interface is not on that subnet,  you want to use (inside,outside) because those are the interfaces you want the NAT translation to occur on.

A search string you can use is:

ASA NAT non-connected network

Some links:

https://supportforums.cisco.com/docs/DOC-31116
https://supportforums.cisco.com/thread/2133340
http://www.tunnelsup.com/arping-for-non-connected-subnets-on-a-cisco-asa
0
 

Author Comment

by:philb19
ID: 39745583
Thanks very helpful - If I specify   nat (inside,outside) static outside-webserver1 service tcp 80 80

how then does the nat get translated to the correct "inside" webserver IP ?
0
 

Author Comment

by:philb19
ID: 39745591
Sorry i think I see - the nat is applied on the "inside-web server1" object

So its nating what hits the  "outside-web server" IP on the outside interface of the ASA  to the inside web server1 object
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39760256
object network WAN_externalip
 host 1.2.3.4
 
 object network LAN-internalip
 host 192.168.1.1

object service TCP-80_HTTP
 service tcp destination eq www
 
nat (outside,inside) source static any any destination static WAN_externalip LAN-internalip service TCP-80_HTTP TCP-80_HTTP unidirectional

this is all you need for proxy arp running firmware version 9.
0
 

Author Closing Comment

by:philb19
ID: 39760994
Worked perfectly - thanks very much - also needs ACE outside interface in to inside webserver http

thanks to others who posted
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now