Cisco Firewall :: ASA 5520 8.4(1) Public WAN To Public DMZ?
Jul 10, 2011
i have an ASA 5520 8.4(1) setup as follows
ASA-- public dmz
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?
I have ASA 5520 with Ver 8.2.Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:126.96.36.199.There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.I did Static NAT 188.8.131.52 to 192.168.1.20 and 184.108.40.206 to 192.168.1.91.When I access DB Server(220.127.116.11) it's working OK but when I access Web Server(18.104.22.168) there is no response at all.I checked the inside traffic, it even did not get into the firewall.Is this the problem with ISP's router? How can we route all of our public IP's to the outside interface(22.214.171.124)?
I have ASA 5520 with Version 8.2(5), the ISP give me a block of IP pubic (126.96.36.199/28), one IP valid (188.8.131.52) have the Global NAT (all users LAN) and server FTP, but i need that IP 184.108.40.206 is used for VCSe, and the IP 220.127.116.11 is used for other server FTP.
How to setup this Nat on an ASA 5520 running 8.3.2 code? I know this must be possible as I can do the same thing on my Check Point with no issues. I need to Nat two dmz mail servers to one public mx record. I will have an F5 to load balance inbound and outbound traffic from the mail servers. So I need to Nat two private IP’s to one public.
We have 2 x ASA 5520s in active/standby and we have a block of 30 public IP's that NAT to many servers etc and we use it for our Corp VPN. We are changing ISPs soon and we will be getting a new block of public IPs where do I even start to plan the migration and how? Can I overlap somehow and do a slow migration or must I do it in one big swoop?
I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.
How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
Summary of set-up: We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's. The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.
Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data UN-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.
BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).
One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them.
Local Network - 10.10.9.0/24 Remote Network - 18.104.22.168/24 Remote Peer - 22.214.171.124 .ASA Version 8.2(5) ! hostname ciscoasa
I am trying to configure a SSL VPN on a Cisco ASA5520. Unfortunately the port 443 of the OUTSIDE interface of ASA is already in use by Microsoft Outlook Web Access and I cannot change the configuration of Outlook. This configuration already in place prevents me to use the public IP of the ASA as Cisco VPN ip address for the webpage. I don't either want to use a different port so to keep life easy for the users.I have some public IPs available that I can use so I wanted to use one of them instead of the ASA's OUTSIDE interface.
We have a Cisco ASA 5520, and we're creating an IPSec VPN to another Cisco ASA. We have multiple VPNs on this firewall.
The issue with the latest one is they require a Public IP as the Local Encryption Network. I've seen this question a couple times while searching but never really a definitive answer.
Would using the "Outside-Network" as the local encryption network, then natting the appropriate IPs be sufficient? Or would this not work at all?
Our Public block is X1.X1.X1.64 - X1.X1.X1.79, our Peer IP X1.X1.X1.66. Would using X1.X1.X1.64/28 as the local encryption network make the connection? Then NAT the needed IPs from our DMZ X2.X2.X2.71 as X1.X1.X1.71 to the client?
Would this work or am I way off the mark (I'm by no means an ASA expert, and an ASDM explanation would work over command line).
Edit: Or would I have to create a new Global Pool made up of Public IPs on a different subnet mask than our actual Public IP address pool. And make that our Local Encrypted Network? I think this might be it, but could it cause IP overlapping? Our webserver is part of this and I'm worried about causing connection issues.
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 126.96.36.199 -Need to PAT several ports to three separate servers behind firewall -One server houses email, pptp server, ftp server and web services: 10.1.20.91 -One server houses drac management (port 445): 10.1.20.92 -One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
we have hosted voip and would like have our internet as back for their router. We gave them public static ip so they can configure that in their router. How can i configure the ip address in our firewall let say on asa5510 ethernet port 3 so if their router T1 goes out then our internet will work as backup.
I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have 192.168.101.0/27 private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.
We have 2 IP blocks from my ISP. We have been using just one a /30 block with one IP address used on the outside interface of the device. The new block is a /29 range and I would need to use just two of those IP addresses. Here is the situation I am facing.A company we partnered with wants to set up a VPN, they will send us 2 Cisco 861s to put behind our ASA. Is it possible to assign these 861's with public IPs from the block that we are not currently using? (the /29 range)? I know that it might require an upgrade to the Security Plus.
The client I am doing work for as ASA 5505 at a remote location that is using Cox Communications for the ISP. The ISP assigned 5 static IP addresses, but we only need 1 for this location. However, that is the minimum you get no matter what. The issue is that the subnet mask is a /25 and what they are telling me is that the ASA is grabbing all the IP addresses in that range. They asked if there is anyway to keep the ASA from grabbing those IP addresses. Now, I have never run into this issue before with a provider. The gateway is in the /25 subnet, so going to a /30 isn't an option.
We have the setup as shown above, our requirement is to access mail server via ports smtp and pop3.But as the mailserver is hosted at internet users at site were not able to aceess. we need to nat a intranet ip with mail server ip and mail server ip back to intranet ip and provide the access.We use ASA 5510 firewall.
Upgrading from a PIX 515 ,V6.2, I can get internet traffic out through the ASA , but no traffic in to the servers. The NATS are the same on the old firewall. The routers outside the firewalls are doing further natting from the .253 netwrok to a publilc address. No changes have taken place on the routers. [code]
I'm trying to setup a zone behind my firewall with complete publicly routeable IP addresses for 3 servers. The reason I'm doing this is I am in the network setup stage of an OCS implementation, and OCS connections don't behave well with NAT.
My device is a ASA5520. I have an internal zone, and a dmz zone. These are done via standard NAT configurations.
My question is this:
Is it possible to setup connectivity to the outside with internal servers that have Public IP's directly on their NIC's? Another little detail of interest is that this ip space is seperate than the one that's on current Outside interface facing our ISP. However we own both address space.
This works other networks that are like whole network with /29 mask and have router in front of ASA using bridge. But in my case i just have DSL modem bridged in front of ASA. This static nat works like should if i use like Zywall USG series fw and this same configuration works in my customers, but they have those scenarios i said having mask /29 and router in front...
It seems that the problem is in ASA, like i won't show those public IP:s to public router from my operator. Because if i roll those other public IP:s on my ASA:s outside interface: i will use 83.x.x.25 and 83.x.x.41 on outside interface and after that put back my original 83.x.x.10 then my static nat is working just fine, atleast few hours, but not in next morning because ISP router flushes ARP cache.
Could I get a validation that this config is correct in that it allows inbound access to the web server and that I should be able to ping it from my inside interface.
I tried to use the example code from Cisco DocID: 115904 for DMZ WebServer, but I found the object NAT parts did not work with my 8.6 IOS so I modified them as shown in my config.Example from 115904 doc.
!!!! object network WebServerPublic host 188.8.131.52 object network WebServerPrivate host 192.168.1.80 nat(dmz,outside) static WebServerPublic service tcp www www ---> this does not code !!!!
With the below code I do not get a ping reply sourcing from a 10.1.0.X host to 192.168.1.80 web server.And I cannot browse in from the outside to it either.I do see the MAC for 192.168.1.80 in the ASA's arp cache for the dmz interface.The web server is on a VMware ESX environment and I'm not sure it is set up correctly.
! ASA Version 8.6(1)2 ! hostname A5515 ! interface GigabitEthernet0/0
I'm trying to traverse from my inside private IP address (10.x.x.x) to my public IP address translation (172.16.x.x) in order to take advantage of the ACLs that are already applied on my outside interface. For example:
Host 10.0.0.1, translated to PAT pool Server 10.0.0.5, translated to 172.16.0.1 Inside-out access-list permits ip any any Outside-in access-list permits tcp any 172.16.0.1/32 eq 80
From my inside host, I can get go 10.0.0.5:80. I can get out to the internet. External hosts can successfully get to 172.16.0.1:80 (address scheme is theoretical). I can do everything except for connect to 172.16.0.1:80 (the translated public IP address) from my inside host address. I did not setup this firewall originally, but I can't see a blatant command that makes this not work. I don't see an ACL rule matched, so I'm assuming this is an issue with NAT or some sort of security policy. I'm running a Pix 535 /w 8.0.4. The response I got from Cisco was "create static (inside,inside) translations for every host", but that's over 300 hosts. I have a friend running the same software set and his works as expected without these static (inside, inside) NATs.
Attached is my updated ASA 5505 (8.4) config. With this config, basically the "laptop" group works fine, but the leo and orion groups don't ever receive packets inbound. No DNS, nothing.
The laptop is windows, the other two are servers with two NICs. The interface cards are Intel Pro/1000s. I've been through everything including Vlan protocol conflicts and actually enabled the servers for 802.1(Q).
I have a new 5510 which I have upgraded to 8.4(3). I have a /29 subnet from the telco on my outside interface. I have 6 subinterfaces on a dot1Q trunk on my inside interface. The customer requirement is to have two servers in a DMZ which have public IP's from the /29 subnet. The customer will not give the servers a new IP address so we are stuck with the two public IPs in the DMZ. I thought I would need a bridge group and bridge the outside, two DMZ interfaces but I read that bridging requires the firewall to be in transparent mode and then it won't support VPNs - this is not an option as I need to terminate VPNs on the box too.
how can I accommodate the two servers in the DMZ with public IPs whilst the ASA is in routed mode ?