Cisco Firewall :: Statically PAT Multiple Internal Hosts To One External Host 5510
Feb 20, 2012
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.
So i just changed this:
object network BMMM nat (inside,outside) static interface service tcp smtp smtp to: object network BMMM nat (inside,outside) static other.external.ip.in.subnet service tcp smtp smtp
And assumed that this would work,y it does not, and this leaves me unable to contact that machine from the outside.And shoud i also change my access-list?The relevant access-list rule is:access-list outside_in extended permit tcp any object BMMM eq smtp
I was just wondering if it's possible with an ASA 5510 to connect to the external IP address of an internal server from inside the network. I have already set up dns doctoring for dns lookups, and everything is working fine there. We have an application inside the network that tries to connect straight to the external Ip of another internal server. where to look in the ASDM 6.4?
I also want in internal NAT, but only for certain external hosts, so when they connect to any of the above, their source address is changed. I've attempted the following so an external host (172.16.2.254), has it's source changed to 172.16.1.100.
I've just taken over a new network with a Cisco ASA5520. Everything is working fine, except I am being bombarded with 106001 alerts from a few internal hosts to one specific internal host. The description in general is "Inbound TCP connection denied from 10.1.0.1 to 10.1.0.5 - both of those are valid internal hosts and the TCP ports are also valid. I tried looking at the log and getting it me to tell me which rule was causing these alerts, but it just came back with 'It's not possible for these type of alerts'
- How is it possible for the ASA to even pick up on this when, in theory, the source host wouldn't be going near the ASA since it's on the same subnet?
- What might be causing this?
- How can I turn it off!! (I guess that'd be fixed by point 2)
I am not very familiar with ASA 5520 yet.I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.
Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error: [code]
I've got an RV180W for my office, and so far it has been great. I have two users that use a certain application that crashes all the time. For some reason, they don't crash when put into the DMZ. Is there any way i can put both of them in the DMZ? I can only figure out how to have one host in the DMZ at a time.
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100 host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200 host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
Due to special circumstances we have 2 ISP links on an ASA5510. I am trying to terminate some L2L VPN tunnels on one link and others on the second ISP Link, eg below:
LOCAL FIREWALL crypto map outside-map_isp1 20 match address VPN_ACL_Acrypto map outside-map_isp1 20 set peer 1.1.1.1crypto map outside-map_isp1 20 set transform-set TS-Generic crypto map outside-map_isp2 30 match address VPN_ACL_Bcrypto map outside-map_isp2 30 set peer 3.3.3.3crypto map outside-map_isp2 30 set transform-set TS-Generic crypto map outside-map-isp1 interface ISP_1crypto map outside-map-isp2 interface ISP_2 crypto isakmp enable ISP_1crypto isakmp enable ISP_2 route ISP_1 0.0.0.0 0.0.0.0 1.1.1.254route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254
Establising the VPN tunnels in either direction when using ISP_1 works fine establishing in either direction from remote access users and multiple L2L tunnels (only showing one for example).
On ISP_2 1. Peer 3.3.3.3 device establishes a VPN tunnel, but the return traffic does NOT get back to devices on 3.3.3.3 tunnel. 2. The local firewall does NOT establish a VPN tunnel going to 3.3.3.3 It would seem to indicate that the problems lies with this multihomed firewall not directing the traffic correctly to either return down and establised VPN tunnel (point1) or to intiate a tunnel if none exists (point 2).
Reconfiguring the VPN tunnel peer for 3.3.3.3 to be on ISP_1 of the local firewall, all springs into life! There are sufficient license etc...
I've been attempting to fix this issue or confirm the issue is not with the firewall and I have kind of run into a road block. This is my problem as I understand it. A client of mine has a VPN tunnel built over a point to point connection of some kind (this client is fairly new to me) and is unable to access some hosts on the remote end of the VPN tunnel from the LAN side of the firewall. The LAN IPs are NAT'd as they leave the network from the HPH-Point-to-Point interface to the remote end. Just as a point of reference, the LAN IP of 129.200.11.19 is said to be working, however the range of 129.200.20.25 - .50 is not. I've tried packet-tracer but with the NAT happening over a VPN tunnel I am not sure if I am doing it correctly.
I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?
I have just started to use an ASA 5510 for my network. I use the DHCP server on it and after i made the change over to ASA hosts started loosing their IP address. This was not a problem before on my old firewall that aso had the roll of DHCP.
Is it possible that something is wrongly sett on the asa? All traffic is flowing normaly when this does not happen.
Information: Lease length: 172800 address pool: 134 addresses hosts: around 45 + mobile units 45
This is an issue I'm currently exploring with TAC, but I'd like a quick reality check. We have a pair of ASA 5510s in Active/Standby stateful failover mode. In some tests failing over from the active to the standby system breaks SSH connections from hosts on our Inside to hosts on our DMZs.
A specific example is our backup server on Inside which is connecting to our mail server in the DMZ2, and running ssh/rsync/scp for the backups. A running backup job fails with network timeout errors when I trigger the failover. Also, sometimes the mail server loses or hangs on its connection to our LDAP server in DMZ1, although sometimes this connection is fine (DMZ2 is more "inside" than DMZ1, and I assume the LDAP look ups are many short connections, vs the rsync backup being one long connection).
TAC has suggested that open SSH sesions will always fail when the ASAs failover. I believe this is true for management connections to the ASA, but I don't see why it should be the case for an SSH session through the ASA to a server in the DMZ. TAC has suggested that I open some connections to servers in the DMZ and test what happens, and I can do so this Wednesday morning during a maintenance window.But, in general, is this true? That is, given an SSH session from a workstation to a server, should a failover break it? If so, why?
That is, all our inside VLANs are routed by our core L2/3 switch to a VLAN that connects to the Primary and Secondary ASA's INSIDE ports. There are also seperate VLANS on the core for the ASA's DMZ1 and DMZ2 connections, which go to both ASAs and to any servers in these zones.
The description of the ASA Stateful failover [URL]says: "The state information passed to the standby unit includes these:
· The NAT translation table · The TCP connection states · The UDP connection states · The ARP table · The Layer 2 bridge table (when it runs in the transparent firewall mode) · The HTTP connection states (if HTTP replication is enabled) · The ISAKMP and IPSec SA table · The GTP PDP connection database
[code]....
I'm not quite sure what the ISAKMP and IPSec SA tables do, but shouldn't an SSH connection through the ASA be just a TCP connection? "For us, SSH from Inside to hosts in the DMZ survives failover," or, "Yah, failover breaks all SSH sessions."
I have an ASA 5510 which i've configured for internet access.I can connect to the internet from the ASA box,I can ping public networks from the console of the ASA box,but cannot access public hosts from internal hosts connecting via the ASA box.Find my config below to know what i ahave omitted or committed.
I have Astaro UTM running on an old computer as my only firewall right now. The Astaro also serves as my DHCP server. My Wifi is provided by a Linksys E3000 running DD-WRT software. NAT/SPI are disabled on the E3000, and it forwards DHCP requests to the Astaro. All my network clients connect via wifi/ethernet to the E3000.
All clients --> E3000 (no firewall) --> Astaro --> www
I am considering setting up my own personal cloud server using a Synology NAS that I can access remotely. I would also like to remotely access my Surveillance DVR. I would like to access them via VPN or portforwarding. I do not want to use DMZ.
I would like to utilize the SPI firewall on the E3000 to provide an extra layer of defense. I would like the NAS and the DVR to be on an external LAN between the Astaro and the E3000...and all other clients being on an internal LAN behind the E3000. I have the necessary switches/cables to make this work.
My question is...How do I configure the E3000? Can I have both the internal and external LANs on the same subnet? Do I have to use the NAT on the E3000? I'd rather not...since that will render the Astaro's reporting functions rather worthless.
I would like the Astaro to remain the only DHCP server. I would like all internal LAN clients to be able to reach out to the external LAN/WAN...but the external LAN should not be able to reach into the Internal.
I have a Cisco 5505, 2 sites that are internal, 1 external IP (dhcp from cable modem). While on my laptop, ipad, iphone, I cannot access the server via it's external IP address. I MUST use the internal IP in order to access this site. I have heard of hairpinning, internal dns server(don't really want this).
I am aware that we can allow external admins to telnet over a custom port to the internal router. Even i was allowed to connect to a remote router via the remote firewall. The way i was accessing the router is by telnet to the remote ASA address on port 8023.I am not sure how exactly we can configure this on a ASA.
I have an old ASA 5505, and I'm having some trouble with Nat Hairpinning. I've done this with other firewalls before and I am having no luck now. I have an internal address that I wish to forward from an external address- so if someone goes to 123.456.789.012:3456 then it will forward to 192.168.1.244:92 (All numbers are arbitrary here- only for illustration). I have and Access Rule and NAT and PAT set up so that I can get in if I originate from outside the LAN. What I am trying to do is to have this work from inside the LAN as well- so that if I am at my desk, and I connect a device and type in 123.456.789.012:3456, it will deliver the content at 192.168.1.244:92. The problem I am having is that it just isn't working, and I cannot figure out why- When I started here, there was an address configured to work this way, and it still works- I just cannot find what is different between what I am doing and what the person who configured it did.
We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?
I am using a 6500 with FWSM. I need to separate an internal server/HQ network from 3 or 4 different external connections. The external networks do not necessarily need to be isolated from each other.I have the option of using a 3 layer model: L2 Access layer to SVIs on the Distribution layer and then L3 to the 6500.L2 Access, connecting directly to the 6500s, with the SVIs on the FWSM.Is it better to have the FWSM outside the MSFC or Inside? Am i correct in thinking that "inside" vs "outside" is determined by whether the SVI's are configured on the FWSM or the MSFC? is there any performance impact from having the FWSM doing the routing instead of the MSFC.If the vlans are all configured on the FWSM, what is the 6500 doing, other than providing switch ports?
We have a working config with 1 external IP, we need to a second webserver (https) and it should be routed via a second public IP address. I already tried some suggestions from the community but haven't been able to find the solutions.
xxx.xxx.xxx.194 is going to the internal IP of 192.168.60.1 for OWA (https) xxx.xxx.xxx.195 should go to a new webserver on 192.168.60.3
both server should be connected using SSL This is the current configuration :
ASA Version 8.3(1) !hostname fwdomain-name domain.localnames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.60.250 255.255.255.0 !interface Vlan2nameif outsidesecurity-level 0ip address xxx.xxx.xxx.xxx 255.255.255.0 !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveclock timezone CEST 1clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00dns server-group DefaultDNSdomain-name domain.localobject network obj_any subnet 0.0.0.0 0.0.0.0object network NETWORK_OBJ_192.168.70.0_26 subnet 192.168.70.0 255.255.255.192
I have an existing pair of PIX 515E that has two interfaces. One connected to the public internet via my ISP and one internal. I recently ran out of IP's and had the ISP route an additional block to public IP of my firewall. This isn't working for some reason and I'm trying to figure out why.
The "ip address outside XXX" command defines the outside address and I don't see any way to add a secondary sub net.
I tried just adding a rule to the firewall for one of the IP's in the new subnet, but I can't seem to get traffic to pass though the device.
if possible with the RV042.Primary External IP address uses port forwards for some ports, all okay.I would like to have other external ip addresses assigned to machines on my lan.Basic host multiple web servers, on different IP addresses, using port 80. [code]
From what i am reading, it looks like the RV042 can do this, but I am not real clear what my rules should look like.
I would think my high priority rule for each external IP address would be to deny all traffic first for each machine on the lan.Then create one entry with source 202.x.x.2 port 80 -> 192.168.168.2 ?
How should I set my rules to do this, and what settings should I have on the Nic of the second machine?
I have an ASA 5505 with the security plus software and I'm trying to find out how to assign 2 public IPs to the outside interface and have each IP routed to a separate internal VLAN. For example, IP 1 = X.X.X.1 routed to 192.168.1.0 and IP 2 X.X.X.2 routed to 192.168.2.0. I was told this was possible and I've been trying to find configuration examples, but I can't seem to get anywhere and now I'm getting desperate because I'm scheduled to install it this weekend.
This question is in the context of servers sitting in a colocation environment behind an ASA5510 with security plus license.Our colo provider is going to be statically routing a /28 public subnet to our ASA5510 (say 1.1.1.0/28). We will also be getting a single IP (say 2.2.2.2/30) on a small router-to-router subnet (2.2.2.0/30) to which the 1.1.1.0/28 subnet will be statically routed to our ASA5510 from our colo provider.I will obviously set the outside interface of the ASA to be 2.2.2.2/30 so that the colo provider can route the 1.1.1.0/28 subnet to it. I will also set a default route to 2.2.2.1 which is the IP of our colo providers gateway (and the router that will be statically routing the 1.1.1.0/28 subnet to us).
We have various servers in the same rack as the ASA (connected via a 3750G switch). Some of these servers need to be exposed to the internet (web, email, etc servers) and some do not (database servers).I'm considering 2 different ways of designing the network but I have questions about both and not sure which way to go:
1) Scenario #1: Using NAT and private IP's for all servers.In this scenario where/how do I assign the internal network (say 10.1.1.0/24) and the public routed subnet (1.1.1.0/28)? I assume the internal 10.1.1.0/24 is an inside network assigned to the interface connected to the 3750G (to which all the servers connect). However, where do I assign the public routed subnet (1.1.1.0/28) since it is somewhat "nebulous" in that it has to reside somewhere on the ASA so that it can then NAT to the internal (10.1.1.0/24) IP's. Also, is it considered an outside or inside network - and on which interface? My confusion is that If its added to the outside interface then won't that conflict with the 2.2.2.2 IP to which the colo provider is routing our 1.1.1.0/28 subnet to? And if its on the inside interface connected to the 3750G then wont that conflict with the 10.1.1.0/24 private IP range of the servers?
2) Scenario #2: Using public IP's for all servers:This scenario seems more straightforward to me: I would want to assign IP's from the statically routed subnet (1.1.1.0/28) to my servers so that range would be configured as an inside network on the interface connected to the 3750G (to which all the servers connect). This would be configured on a specific VLAN (say vlan 50). I would then have another VLAN (say VLAN 100) on the 3750G that has a private IP range (say 10.1.1.0/24) so that non-public servers (database, etc) would reside on there. All public servers that need access to private servers would have a NIC on both VLANS (50 + 100). My question is is this the correct way of approaching this? I also like this because I dont have to worry about NAT and the ASA can act as a router/firewall and things are clear in terms of whats happening.
Ultimately I'm not sure which is the best way to go in terms of having all servers on a private IP range and just NAT to them (as per scenario 1), or implement scenario 2 where servers have two interfaces.The main thing thats bugging me from scenario 1 is I'm not sure where/how to assign the statically routed subnet (1.1.1.0/28) on the ASA? (inside? outside? which interface?).
Trying to use the "File Operations" option to import hosts into ACS. I go through the wizard and click "Finish", the pop up goes blank and just hangs there. No errors are generated.
I'm having an issue where internal hosts cannot access the internet but I am able to ping external hosts when I console into the router. The router is a 2800 series. [code]
ASA 5505 Firmware 8.3(4), ADSM 6.4(2).I have a public IP address of 168.87.3.4.I need to forward ports (5060, 5080, etc.) to one internal address. (192168.1.1).I need to foward different ports (10020-10080) to a different internal address (192.168.1.2) Everything I read tells me how to do this in a 1 to 1 static NAT.
DNS resolution works and I can surf the web without fail. But if I try to ping any external hosts (I can ping inside interface of ASA fine) from the LAN I get timeouts. I can ping anything from the ASA without fail.
