Cisco Firewall :: NAT Configuration To Allow Access To Two Hosts In The Same DMZ (RFC 1918)
May 16, 2011
I am using a three interface ASA config (Internet, DMZ, Inside). The DMZ and Inside networks are both RFC 1918 space however it is against our corporate policy to allow our DMZ IP space to be internally routable, therefore we must target routable IP's which NAT to the DMZ hosts . In my DMZ network there are two devices - a Web Server and a 802.11 Access Point.
The Web Server is hosting our corporate web site. When the clients accessing the internet via the Access Point try to access our corporate web site they are not able to. A DNS lookup of the A record 'www' returns the public IP address, which when targeted translates to the real RFC 1918 IP of the web server.
Is there a way to use destination NAT or another clever config so when a host targets a public IP which is being translated on a different interface right back into the same interface it originated from it would allow the traffic?
I have two RFC1918 domains I wish to connect, can I use double NAT with PAT so that each domain is represented as one single ip address with each session a port of that address-
The link is a private point to point link with a /32 mask so could I use this as the PAT address ?
I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet. I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere. Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet.
How can I get DMZ hosts to be able to access the Internet via the Outside interface of my ASA5505.I am using the DMZ to allow temp guest acces to the Internet.
Here is my configuration and it can be changed as needed.
User Access Verification Password:Type '?' for a list of available commands.ciscoasa> enaPassword: *******ciscoasa# sho run: Saved:ASA Version 8.0(4)! interface Vlan1nameif insidesecurity-level 100ip address 192.168.100.39 255.255.255.0!interface Vlan8no forward interface Vlan1nameif dmzsecurity-level 50ip address 172.31.10.1 255.255.255.0!interface Vlan11nameif outsidesecurity-level 0ip address 24.172.82.xxx 255.255.255.252!interface Ethernet0/0!interface Ethernet0/1switchport access vlan 11!interface Ethernet0/2!interface Ethernet0/3switchport access vlan 8!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa804-k8.binftp mode passivedns server-group DefaultDNSdomain-name asaobject-group protocol DM_INLINE_PROTOCOL_1protocol-object udpprotocol-object
I am using ASA 5505 firewall with base-license. I connected my firewall to one cisco 3750 switch where i created 5 vlans. I done NATing for all vlans and they able to get internet and working fine. They able to browse all internet sites like gmail and yahoo mail.
All internal users are configured to use Outlook for their webmail. Here the problem is with outlook they are unable to send and receive the mails.
If they directly connected their system using public ip( Directly from ISP) they able to send and receive mails from outlook.
I've recently set up a LAN-2-LAN VPN tunnel to a 3rd party service provider who uses RFC 1918 private addressing internally and cannot perform NAT on their side of the tunnel. In order to avoid conflicts with our address space I've had to implement DNAT for the address on the 3rd party network that users at my end must access. The tunnel terminates at my end on the outside interface of an ASA-5550 running 8.4.2. While the ASA has 8 interfaces at security levels between 0 and 100, DNAT only need occur for traffic flowing from inside (100) to outside (0).
The following (redacted) addressing applies:
Address of the server on the 3rd party provider network: 192.168.2.155
Mapped address of server as seen on the network at my end: 10.168.2.155
I've currently implemented DNAT using object NAT as follows:
This works as expected, however in examples and discussion I've seen, it appears that the typical way to configure NAT for this scenario is with manual NAT as follows:
nat (inside,outside) source static any any destination static remote-server-mapped remote-server
Is there any reason why I should consider using the manual NAT method rather than the object NAT method in this scenario?Are there any technical reasons why using object NAT in this manner should be avoided?
We've never had a problem setting up ASA to ASA or ASA to PIX vpn site to site tunnels using RFC-1918 addresses ( 10.x.x.x usually ). Now we have a customer ( a hospital ) that requires a public non-RFC1918 address to be presented to them. Since the addresses that we send are routable, they get routed through the internet instead of going through the tunnel. Here's the boiler plate from the customer:
"Important Note: The following information is to be used as a guideline in setting up a VPN connection between XXXX and your organization. Currently, XXXX supports only site-to-site VPN’s and all partners MUST present valid registered public IP addresses through the VPN tunnel.XXXX is unable to accept RFC-1918 addresses (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). We do not support PPTP, L2TP, or client VPN connections through a dialer application."
I was able to get a tunnel running between two ASA-5505 units using a public class C address that is currently not routable. How do I get this to work with a routable address? The tunnel will be carrying patient data and is basically a single server to single server link. It needs AES-256 and SHA-5 encryption but that shouldn't be a problem. The hospital is using a PIX, we are using an ASA-5510 with Security Plus license. We also have a couple of ASA-5505 units with base license to test with.
I am trying to block access to facebook and twitter on my router, to a certain range of ips, 192.168.1.8 - 254. I have been digging around and trying stuff but all I do seems to restrict everyone access to the internet.
I have a site to site vpn connection between ASA 5510 and PIX 515 which is working fine. There is no problem for hosts on any side of the tunnel to access a cross. However the local ip (192.168.20.1) on the client interface of my PIX is not allowed to access hosts on the other side of the tunnel. [code]
I'm testing upgrading an ASA from 8.2.5 to 8.4.4. During the the upgrade, it change all of my ACL host entries to objects. But I noticed that the keyword "host" is still a valid option when creating an ACL.
I'm trying to understand why this change is made during the migration.
I also want in internal NAT, but only for certain external hosts, so when they connect to any of the above, their source address is changed. I've attempted the following so an external host (172.16.2.254), has it's source changed to 172.16.1.100.
I've been attempting to fix this issue or confirm the issue is not with the firewall and I have kind of run into a road block. This is my problem as I understand it. A client of mine has a VPN tunnel built over a point to point connection of some kind (this client is fairly new to me) and is unable to access some hosts on the remote end of the VPN tunnel from the LAN side of the firewall. The LAN IPs are NAT'd as they leave the network from the HPH-Point-to-Point interface to the remote end. Just as a point of reference, the LAN IP of 129.200.11.19 is said to be working, however the range of 129.200.20.25 - .50 is not. I've tried packet-tracer but with the NAT happening over a VPN tunnel I am not sure if I am doing it correctly.
I'm just new with ASA. I'm just self-studying on it. I was tasked to have an ACL that will allow inside hosts to access a specific network. Is there a way on how to know all the inside hosts on the behind ASA so that I can do a "object-group network" on those inside hosts which I think it will look neat.
The ASA5505 I am working with has this from the show version:
Licensed features for this platform:Maximum Physical Interfaces : 8VLANs : 3, DMZ Restricted Inside Hosts : 10Failover : Disabled VPN -DES : EnabledVPN-3DES-AES : Enabled VPN Peers : 10WebVPN Peers : 2Dual ISPs : Disabled VLAN Trunk Ports : 0 This platform has a Base license.
Does the Insides Hosts :10 line mean that only 10 devices can be connected to the firewall at one time? I would like to connect an AP to one of the PoE ports and have possibly more than 10 connected. Is this possible with this ASA5505?
I have just started to use an ASA 5510 for my network. I use the DHCP server on it and after i made the change over to ASA hosts started loosing their IP address. This was not a problem before on my old firewall that aso had the roll of DHCP.
Is it possible that something is wrongly sett on the asa? All traffic is flowing normaly when this does not happen.
Information: Lease length: 172800 address pool: 134 addresses hosts: around 45 + mobile units 45
i have R1(F0/0 :1.1.1.1 and R2 (F0/0:1.1.1.2) connected togather once i applied acl at R1 on the inbound direction i lost the ospf session and the ping between these 2 routers despite for the below ACL Config
acl 101 permit icmp host 1.1.1.1 host 1.1.1.2 acl 101 permit host 1.1.1.1 host 1.1.1.2 acl 101 permit ospf 1.1.1.1 host 1.1.1.2 acl 101 permit ip 192.168.1.0 0.0.0.15 any R1 int f0/0 ip access-group 101 in
R1 is my main router while R2 is my customer , i gave my customer the block 192.168.1.0/25 so i m going to implement some security like RFC 1918 and RFC 2827 Filtering along with uRPF
Currently have a setup where we have multiple SVI interfaces in a VRF on a Catalyst 6500 Switch. All these SVI belong to the same VRF. In order to achieve connectivity for hosts within the VRF to access hosts outside the VRF (Hosts reachabe via the Global Routing Table (GRT)) I am thinking I need to configure 2 things
1. Creating a summary route for all the subnets within the VRF in the Global Routing table. <Config on 6K in Global Routing Table> Note: 10.10.10.10 is the ip address of loopback 10 and this loopback 10 is in VRF Red ip route 172.16.0.0 255.255.0.0 loopback10 10.10.10.10
2. Create a couple static routes within the VRF for networks that reside in the Global Routing table but which are not local to this 6K. <Config on 6K within the VRF Routing Table>
Note: 1.1.1.1 is the ip address of loopback 1 and this loopback 1 is in the GRT or not assigned to a VRF ip route vrf Red 172.32.32.0 255.255.255.0 loopback1 1.1.1.1 global ip route vrf Red 172.32.40.0 255.255.255.0 loopback1 1.1.1.1 global ip route vrf Red 172.32.50.0 255.255.255.0 loopback1 1.1.1.1 global
I have read through some posts and it seems to indicate that I cannot point to a loopback interface as it is not a point to point interface. How this solution can be achieved. The reason I was pointing to a loopback was so that I am not tied to a particular physical interface and for the summary route that was created in step 1 really not sure what L3 interface I could point to since I have multiple SVI's that are in the same VRF. Would I also need to create that same summary within the VRF. I don't intend to since I am assuming that once within the VRF the more specific connected interfaces would take affect and forward respectively.
In addition to the above I also need determining the forwarding behavior when there is a ip helper address configured under the SVI's which are in a VRF but the ip address for that helper is not part of the VRF. I would think if a static route is configured under the VRF for that helper address network pointing it to the Global Routing table it should work. The config for that would be
ip route vrf RED 172.32.52.5 255.255.255.255 loopback1 1.1.1.1 global
I want to upgrade "inside hosts" from 10 to unlimited on a ASA5505-BUN-K9, Do I have to buy Security Plus license ( L-ASA5505-SEC-PL =) ) before activating ASA5505-SW-10-UL ?
This is an issue I'm currently exploring with TAC, but I'd like a quick reality check. We have a pair of ASA 5510s in Active/Standby stateful failover mode. In some tests failing over from the active to the standby system breaks SSH connections from hosts on our Inside to hosts on our DMZs.
A specific example is our backup server on Inside which is connecting to our mail server in the DMZ2, and running ssh/rsync/scp for the backups. A running backup job fails with network timeout errors when I trigger the failover. Also, sometimes the mail server loses or hangs on its connection to our LDAP server in DMZ1, although sometimes this connection is fine (DMZ2 is more "inside" than DMZ1, and I assume the LDAP look ups are many short connections, vs the rsync backup being one long connection).
TAC has suggested that open SSH sesions will always fail when the ASAs failover. I believe this is true for management connections to the ASA, but I don't see why it should be the case for an SSH session through the ASA to a server in the DMZ. TAC has suggested that I open some connections to servers in the DMZ and test what happens, and I can do so this Wednesday morning during a maintenance window.But, in general, is this true? That is, given an SSH session from a workstation to a server, should a failover break it? If so, why?
That is, all our inside VLANs are routed by our core L2/3 switch to a VLAN that connects to the Primary and Secondary ASA's INSIDE ports. There are also seperate VLANS on the core for the ASA's DMZ1 and DMZ2 connections, which go to both ASAs and to any servers in these zones.
The description of the ASA Stateful failover [URL]says: "The state information passed to the standby unit includes these:
· The NAT translation table · The TCP connection states · The UDP connection states · The ARP table · The Layer 2 bridge table (when it runs in the transparent firewall mode) · The HTTP connection states (if HTTP replication is enabled) · The ISAKMP and IPSec SA table · The GTP PDP connection database
[code]....
I'm not quite sure what the ISAKMP and IPSec SA tables do, but shouldn't an SSH connection through the ASA be just a TCP connection? "For us, SSH from Inside to hosts in the DMZ survives failover," or, "Yah, failover breaks all SSH sessions."
I have an ASA 5510 which i've configured for internet access.I can connect to the internet from the ASA box,I can ping public networks from the console of the ASA box,but cannot access public hosts from internal hosts connecting via the ASA box.Find my config below to know what i ahave omitted or committed.
I have, what I believe to be, a simple issue - I must be missing something. Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209). There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off. The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue. Basically, the VPN is up and running but PC 10.51.253.210 cannot get out
I've got an RV180W for my office, and so far it has been great. I have two users that use a certain application that crashes all the time. For some reason, they don't crash when put into the DMZ. Is there any way i can put both of them in the DMZ? I can only figure out how to have one host in the DMZ at a time.
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100 host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200 host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
At the end of the day I simply need to upgrade the license on my ASA 5505 v7.2.4 (upgrade will come later as part of a larger project) to allow for >10 Inside Hosts. From what I've read there seems to be a 50 license upgrade out there. Can this be purchased directly? From whom? Will it only affect the Inside Hosts number and not affect any other licenses, configurations, etc. Just being overly cautious since this is way outside of my normal realm. Below is the current activation-key information....
Result of the command: "show activation-key"
Serial Number: xxxxxxxxxxxxxx Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
Is there a way to do a similar thing on the ASA 5520?
I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.
I've just taken over a new network with a Cisco ASA5520. Everything is working fine, except I am being bombarded with 106001 alerts from a few internal hosts to one specific internal host. The description in general is "Inbound TCP connection denied from 10.1.0.1 to 10.1.0.5 - both of those are valid internal hosts and the TCP ports are also valid. I tried looking at the log and getting it me to tell me which rule was causing these alerts, but it just came back with 'It's not possible for these type of alerts'
- How is it possible for the ASA to even pick up on this when, in theory, the source host wouldn't be going near the ASA since it's on the same subnet?
- What might be causing this?
- How can I turn it off!! (I guess that'd be fixed by point 2)
1. To specify static IPs for components on my network, is it simply a matter of reserving each component in the DHCP Reservations List portion of the Network Settings page?
2. On the same page, in the DHCP Server Settings portion, if Enable DHCP Server : is deselected, does this mean that only the hosts specified in the DHCP Reservations List can access the network? In other words, is access now restricted to these entries?
3. If the DIR-615 is powered OFF, will the above settings, etc. be lost (similar to a reset)?
I have a SG300 Switche working in layer 3 mode.I configured 3 VLANs on the switch, assigned all ports, given IP addresses to VLANs interfaces, etc.Now I want to implement ACL to permit or deny access between vlans and hosts.Can I apply an ACL to a whole VLAN (in or out) like Catalyst models?I mean apply the ACL to the entire vlan or the only way in this model is to implement that ACL port by port?Every time I have a new port configure to work in a Vlan I have to implement the ACL?
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
