Cisco Firewall :: 5505 PAT With Single Public IP And Several Servers Behind Firewall
Nov 21, 2012
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 16.2.3.4
-Need to PAT several ports to three separate servers behind firewall
-One server houses email, pptp server, ftp server and web services: 10.1.20.91
-One server houses drac management (port 445): 10.1.20.92
-One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
View 11 Replies
ADVERTISEMENT
Jul 30, 2012
I have an ASA 5510, one public IP address on my outside interface, an internal email server and a private network.I would like...
1: Users on my private network to be able to access the internet (PAT them to external outside address)
2: Email to be delivered to my MX (my single public IP address translated back to my internal email server.
i.e. can I share my single public IP address to serve translation in both directions (private users surfing the Internet (in-to-out) and an outside to inside NAT for email) ?
Email (MX) = 1.2.3.4
Public (outside) address = 1.2.3.4
Email server internal = 10.1.2.3
Internal private subnet for users = 10.0.0.0/8
View 1 Replies
View Related
Jun 8, 2011
Upgrading from a PIX 515 ,V6.2, I can get internet traffic out through the ASA , but no traffic in to the servers. The NATS are the same on the old firewall. The routers outside the firewalls are doing further natting from the .253 netwrok to a publilc address. No changes have taken place on the routers. [code]
View 3 Replies
View Related
Apr 24, 2013
I have a FTP server at my local network and i have natted the private IP with my Public IP using default FTP Port ( 21) , now i have created Diffrent FTP Account in my server using port 2121 and i am able to login using the private IP with port 2121 , now i want to nat with my public IP with port 2121 and i failed,
1) 125.x.x.x --------- 10.10.1.x : 21 ( Able to access from external network)
2) 125.x.x.x ---------- 10.10.1.x : 2121 ( not able to login from external network and able to login internally )
View 7 Replies
View Related
Feb 5, 2012
I have a situation where we have a single DMZ server currently statically forwarded to a single public IP. TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server. This server only needs traffic on TCP/8800 forwarded to it.
I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
My question lies in the reconfiguration of NAT/ PAT. Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port. I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
It appears ASDM will not allow me to put multiple ports into a single network object. I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?
View 6 Replies
View Related
Sep 18, 2012
I've tried a bunch things but it didn't work, I'm about to gave up! :-/
I have the following scenario:
ASA5510 - v8.3(2)
Interfaces
ETH0/0 = outside = 189.xxx.xxx.129
ETH0/1 = inside = 10.xx.1.15
[Code]....
What should I do to get the SIP and 8080 port working on my Public IP, likewise just as access from my browse the http://189.xxx.xxx.129:8080 and get through directly to my internal server 10.xx.xx.61 ?
View 5 Replies
View Related
Mar 12, 2012
I have a Cisco ASA 5510 that was set up as a VPN server for working remote. I have disabled split tunneling so that all traffic created while VPN'd in goes through the ASA. The problem I'm having I believe would be resolved if I enabled split tunneling but I would prefer another solution. Now..for the problem.When a user is connected via VPN, they can hit all intended devices both public and private accept servers that have static NATs in the FW. So Server A has a public of 1.1.1.1 which is one to one mapped to private address of 10.1.1.1. Now if the remote user brings up a browser and goes to 1.1.1.1 it wont work. The FW gives me a error which is posted below. However, using the private IP of the server works. I thought about trying to manipulate DNS to resolve this as the remote users are using URLs and not IPs when trying to reach these servers but again, was hoping I could resolve the NAT problem that the FW seems to be having.
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:192.168.202.100/49238 dst INSIDE:1.1.1.1/80 denied due to NAT reverse path failure 192.168.202.x/24 is the remote vpn ip given via the ASA.
Here are some configurations on the ASA:
static (INSIDE,Outside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255
access-list INSIDE_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.202.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
[code].....
Outside with 4.4.4.4 as the public ip traffic gets NAT'd do dynamically Inside with 10.1.1.x network on it.The ASA is running 8.2
View 2 Replies
View Related
Oct 30, 2012
Got an ASA5525-X with 8.6 release. We have an inside interface (10.11.1.0/24) and a DMZ interface (10.254.1.0/24). On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the 10.254.1.29 internal ip to an external ip 217.x.x.x Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip (10.11.1.10). I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.
View 7 Replies
View Related
Jan 16, 2013
We have 2 IP blocks from my ISP. We have been using just one a /30 block with one IP address used on the outside interface of the device. The new block is a /29 range and I would need to use just two of those IP addresses. Here is the situation I am facing.A company we partnered with wants to set up a VPN, they will send us 2 Cisco 861s to put behind our ASA. Is it possible to assign these 861's with public IPs from the block that we are not currently using? (the /29 range)? I know that it might require an upgrade to the Security Plus.
View 7 Replies
View Related
May 2, 2013
The client I am doing work for as ASA 5505 at a remote location that is using Cox Communications for the ISP. The ISP assigned 5 static IP addresses, but we only need 1 for this location. However, that is the minimum you get no matter what. The issue is that the subnet mask is a /25 and what they are telling me is that the ASA is grabbing all the IP addresses in that range. They asked if there is anyway to keep the ASA from grabbing those IP addresses. Now, I have never run into this issue before with a provider. The gateway is in the /25 subnet, so going to a /30 isn't an option.
View 5 Replies
View Related
Sep 10, 2011
Attached is my updated ASA 5505 (8.4[2]) config. With this config, basically the "laptop" group works fine, but the leo and orion groups don't ever receive packets inbound. No DNS, nothing.
The laptop is windows, the other two are servers with two NICs. The interface cards are Intel Pro/1000s. I've been through everything including Vlan protocol conflicts and actually enabled the servers for 802.1(Q).
View 19 Replies
View Related
Jan 14, 2013
I have an ancient Alteon load balancer which only supports HTTP and telnet access. Our management people only allow HTTPS through the management firewall farm, and don't want to change this policy. So I need a low cost HTTPS to HTTP conversion, ideally on Cisco hardware like an ASA5505. It only needs one concurrent user. Is there a way to configure an ASA 5505 to terminate the inbound HTTPS seession and re-originate a HTTP management session to the Alteon? It looks to me as if the Clientless SSL VPN might do the job.Is there a way to do a SSH to telnet conversion on the ASA, or on a router?
View 1 Replies
View Related
Feb 18, 2013
How to get DynDNS or some other public dynamic DNS services on the Internet working on ASA 5505?
View 2 Replies
View Related
Sep 8, 2011
Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2).
View 9 Replies
View Related
Feb 3, 2013
I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
The interface 0 is for the outside network The interface 6 is for the DMZ All other interfaces are for the inside network
My ISP provided me with one public static IP address, one gateway address and a subnet mask 255.255.255.252
1/ I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
2/ For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall,
View 4 Replies
View Related
Aug 23, 2012
I have configured an ASA 5505 to connect a single internal network to internet, it is not working. I have attached the config
View 9 Replies
View Related
Sep 20, 2012
I have been using static NAT to map between a single server behind an ASA 5505 and a single public IP address. In other words, I've been doing this:
object network NAT_ME
nat (inside,outside) static interface
Now I would like to start using the clientless VPN feature of the ASA, so I of course don't want that particular port forwarded to the server. Is there a way to define such an exclusion? I've tried several things, including setting up a separate NAT rule to direct that port back to the ASA's interface, without luck.
If that is not possible, what configuration would I need to move to in order to get the behavior that I want? It is important that all (non-VPN) traffic is passed exactly as it arrives at the firewall (whether it is coming from internal or external), with the exception of changing the IP address (i.e., I need static port mappings for some of my services).
View 5 Replies
View Related
Jun 3, 2012
I have setup an asa 5505 with multiple sub nets (plus license) and a vpn tunnel (ipsec) between this and an other asa on a second branch office (multiple vlans) . Now I need to route only two vlans from the first site to reach some of the second branch networks
let's call them: 1 branch
A-172.16.4.0/24
B-172.16.2.0/24
2 branch
C- 10.10.10.0/24
D- 10.20.10.0/24
E- 10.66.10.0/24
the tunnelis ok From A to CDE . but from B to CDE won't come up. pinging is unsuccessful as well as all other traffic. the connection profile is setup to have both A and B as local networks and A and B by the moment share the same access rules configuration.
logs show firewall 1 let pass and build connections, without denies, but remote firewall does not receive a single packet from the source ip from network B.
View 2 Replies
View Related
May 26, 2012
We have 2 TS (Terminal Servers) and have configured the 1st RDP using my public address (say 8.8.8.8) on port 3389. it is working very well of course. However I need setup my 2nd TS but will use port 7777 on the same public address which is not working.I am using ASDM 6.3 and firmware 8.3.1.Is this a limitation for this IOS?
View 6 Replies
View Related
May 23, 2013
i can't get it working to expose on internal server to an outside interface.I used the public server function in ASDM.Internet access works if i nat my private adress to one of the available ipadresses provided by our isp.
Internal Server : owncloud 172.10.0.4
External Server : ext181 46.245.171.181
I can't see the error in the configuration,
: Saved
:
ASA Version 9.1(1)
!
hostname rhedetest
domain-name xxxxx.de
enable password 59t92OvRofWL9yf3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
View 10 Replies
View Related
Dec 15, 2011
We've a Cisco ASA 5505 connected directly to Verizon FiOS Circuit (ONT) box using Ethernet cable. As per the existing documention that I have, the previous configured this as a dedicated router to establish a seperate VPN connection our software provider. They assigned both Public Static and Local Static IP address. When I try to ping the public IP address, it says request time out; so the public IP address is no longer working.
When I ping the local IP address of 192.168.100.11, it responds. The SolarWind tool also shows Always UP signal. How can I login into this router either from remotely or locally to check the configuration, backup and do the fimrware upgrade?
I also tried to connect my laptop directly to the ASA 5505 router LAN port. After 3 minutes, I'm able to connect to Internet without any issues. However I don't know the IP address to use to login.
View 3 Replies
View Related
Apr 19, 2012
I'm trying via the ASDM to port forward http connections to a DVR for the purpose of viewing IP cams.I've tried via ASDM to create a public server but I'm not allowed to use my public IP address for the public Interface.I have only one public IP address available.Is there any way round this ? I would also like to know how I can enable NAT with PAT.I've tried setting the outside Interface for use with PAT but It keeps reverting to the setting for a range of external addresses.I'm not really used to the ASA cli yet , I'm getting there.If there's a workaround via the CLI , I'll take that route.
View 4 Replies
View Related
Jun 22, 2011
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100
host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200
host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
View 7 Replies
View Related
Apr 3, 2013
I am having some trouble accessing some backup Email (Outlook Web Access) and Citrix servers located behind an ASA 5505 firewall at a remote datacentre. Simply put, when I go to the specific URL (e.g. [URL]) I do not arrive at the splash page, I just get a message saying that the server took too long to respond in the web browser. I'm wondering whether I have missed something on the configuration or the firewall itself is not letting my requests through. The remote servers are located at a remote Disaster Recovery site and use the subnet 192.168.4.0/24. I am at head office which is connected to the DR site via a VPN using 192.168.1.0/24.
[Code] .....
View 2 Replies
View Related
Apr 10, 2012
We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server: [code]
View 1 Replies
View Related
Jul 20, 2011
I have configured the ASA 5505 for internet access and outside users to use two servers in the DMZ. Every thing is working fine. When I was configure VPN, I did some mistake I guess, now inside users are not able to access internet. They get an error 405. Thats an error. The request method XXX is inappropriate for the URL /. Thats all we know. Even I am not able to access the server in the DMZ from outside and I get an error : Bad Request - Invalid HeaderThese things just happend after I did some thing on the ASA. I copy and pasted the my old configuration but still insider users are not able to connect to internet and from outside I am not ableto connect to server. The weired thing is that I can user VPN with out any issues. I can connect to vpn but I cant access any internal resources. Even inside users are able to ping internet addresses with out any issue.
View 2 Replies
View Related
Nov 9, 2011
I'm trying to get a couple clients to talk to my Active Directory servers. I've created sub-interfaces on my ASA. So, my clients are on Gi0/1.139 and my two Active Directory servers are on Gi0/1.132. I've enabled traffic on TCP 53-5000 port range according to Microsoft. My clients still can't join the domain. What ports I need to open up? My AD servers are Windows 2003.
View 1 Replies
View Related
Nov 28, 2011
I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA. I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!
View 2 Replies
View Related
Jul 28, 2011
I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
View 5 Replies
View Related
Dec 28, 2011
I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.
[URL]
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.
View 1 Replies
View Related
Feb 5, 2012
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
View 1 Replies
View Related
Jan 4, 2012
Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies
View Related
Jul 10, 2011
i have an ASA 5520 8.4(1) setup as follows
public wan
|
|
ASA-- public dmz
|
|
private lan
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?
View 6 Replies
View Related
