topic How recently have you in Network Security

Cisco ASA 5505 9.24 Multiple public IPs to multiple internal servers

bayarealocks — Tue, 12 Mar 2019 06:27:38 GMT

Hi!

I'm really hoping someone might be able to help me here. What I'm trying to do seems like it should be really simple, but I've not had much luck.

I recently switched from a Juniper SRX to a Cisco ASA and am having issues with trying to get things set up. Here's the basic setup:

I have multiple public IPs from my ISP under a /26 netmask (vlan is called astound).
I have multiple internal servers running on a 10.x.x.x netblock, each running varying services (vlan is called servers).
I also have a "trusted" network internally for my non-server hosts (workstations, etc.) and the vlan is called trusted.
Each of the above networks are in their own vlans, "switchport access vlan xxx" on the appropriate interfaces.
Both the "external and dmz" are security level 0, and the "trusted" is security level 100.
The "same-security-traffic permit inter-interface" setting is enabled.
The Cisco ASA 5505 has 512M of ram, 9.2(4) firmware, and a security plus license.

The main issue I am having is trying to make the multiple public IPs work. If I set up objects and nat for one webserver, and use the "interface" address then I can access the web server externally via it's public IP.

But if I leave that alone, then simply change the webserver NAT to a secondary IP, it no longer works. For example:

object network webserver
host 10.1.10.10
nat (servers,astound) static interface service tcp www www

Works and allows the "interface" address, the public IP, to route to the webserver properly. The interface address is 75.12.10.229.

But this doesn't work:

object network webserver
host 10.1.10.10
nat (servers,astound) static 75.12.10.230 service tcp www www

(the IP here is a secondary public IP I have)

I also tried to set up the secondary IP as an object (object network astound-230, host 75.12.10.230) and reference it that way but it doesn't help. I also have the ACLs in place as far as I know. Any ideas what's going on?

Here's relevant parts of my config for the setup that does work - interface public IP serves http from the webserver:

: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)
!
interface Ethernet0/0
 switchport access vlan 10
!
interface Ethernet0/1
 switchport access vlan 100
!
interface Ethernet0/2
 switchport access vlan 200
!
interface Vlan1
 nameif mgmt
 security-level 0
 no ip address
!
interface Vlan10
 nameif astound
 security-level 0
 ip address 75.12.10.229 255.255.255.192
!
interface Vlan100
 nameif trusted
 security-level 100
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan200
 nameif servers
 security-level 0
 ip address 10.1.10.1 255.255.255.0
!
same-security-traffic permit inter-interface
!
object network webserver
 host 10.1.10.10
 nat (servers,astound) static interface service tcp www www
!
access-list outside-in extended permit tcp any object webserver eq www
access-list servers-out extended permit tcp any any
access-list servers-access-out extended permit udp any any
access-list astound-ping extended permit icmp any4 any4 echo
access-group servers-out out interface servers
access-group outside-in in interface astound
!
ip verify reverse-path interface astound
dynamic-access-policy-record DfltAccessPolicy
!
route astound 0.0.0.0 0.0.0.0 75.12.10.193 1
!
..snip

How recently have you

Jon Marshall — Wed, 19 Aug 2015 16:45:34 GMT

How recently have you switched over ?

For any IPs that are not assigned to an interface but are part of the same IP subnet as the interface IP your ISP will use arp to resolve the IP and your firewall will respond with the outside interface mac address.

If you have recently switched over then your ISP may well still have the old entries in their arp cache on their router.

The outside interface IP itself is usually updated because you usually have internal clients connecting to the internet using that IP which refreshes the ISP arp cache.

If that is not the issue ie. it has been a while since you moved across can you post the output of -

"packet-tracer input outside tcp 8.8.8.8 12345 75.x.x.230 www"

Note also that this is a public forum so if those are you real public IPs can you do as I have done above.

Jon

Hi Jon,Thanks for your reply.

bayarealocks — Wed, 19 Aug 2015 23:57:34 GMT

Hi Jon,

Thanks for your reply. One thing to note is that in order for the interface address to work at all I needed to restart my cable modem. Once I did that the public IP of the external interface worked, and routed http traffic to my web server. This tells me it might be related to the multiple public IPs not working, although I beg the question -- if the Cisco ASA only allows one real IP on the external interface, how to the other IPs respond via arp to the modem if they're only NATted to the servers? I am assuming pings won't reply to IPs that are just static NATted to the internal server subnet.

Also, I have modified the "public" ips in my posting as I understand the nature of this forum. Hope I didn't step on someone else's toes by making up new IPs, I know those are someone's real IPs 🙂

I'll try the packet tracer this evening to see what I get.

Thanks again,

Dennis

Hey Dennis,

gchana2011 — Mon, 21 Mar 2016 12:54:11 GMT

Hey Dennis,

Did you ever resolve this issue? I have exactly the same problem and its racking my brain!!

Thanks

No, unfortunately I did not.

bayarealocks — Mon, 21 Mar 2016 15:03:00 GMT

No, unfortunately I did not. I spoke with some network guys at work and they agreed that this is an issue with the ASAs which I was really surprised to hear.

In the process of trying to fix my issue I tried a Watchguard (which I've worked with before) but there's this whole license thing that's expensive.

Finally, I was able to get my Juniper SRX going and absolutely love it! Once I stepped into the JunOS world I made it over the learning hump and think it's a great product.

I wish the ASA supported multiple IPs on it's outside interface. I was expecting to be able to add an ip address and multiple "ip address x.x.x.x secondary" like you can on a Cisco switch's interface port. I use a Cisco 4948 and that's a standard setting there.

Best of luck and I hope you can find yourself a good solution!

Damn! Looks like I may have

gchana2011 — Tue, 22 Mar 2016 09:02:37 GMT

Damn! Looks like I may have to explore other alternatives.

Thanks for responding Dennis, much appreciated 🙂

I have several ASAs with

Peter Koltl — Thu, 24 Mar 2016 22:07:02 GMT

I have several ASAs with similar configuration so such a setup should work. Please check

show connection detail long

show xlate det

while trying to connect. What logs are generated during the attempt?

Hey Peter,

gchana2011 — Tue, 29 Mar 2016 10:07:02 GMT

Hey Peter,

Thanks for the response.

Below is my sanitised config. What I am trying to do is portforward for a spare IP that I have (represented as 100.XXX.XXX.3), instead of the interface IP, represented as 100.XXX.XXX.2. As I had this problem quite a while back I had to resort to using a second ASA for the port forwards associated with the secondary IP, therefore I do not have any outputs I can provide at the moment, sorry. ASA is relatively new to me so any help you can provide would be greatly appreciated.

hostname MYASA
domain-name MYDOMAIN.COM
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
description **INTERNET FACING LINK**
nameif outside
security-level 0
ip address 100.XXX.XXX.2 255.255.255.248
!
interface GigabitEthernet0/1
description **INTERNAL CORP NETWORK**
nameif Corp
security-level 100
ip address 10.10.2.17 255.255.255.0
!
interface GigabitEthernet0/2
description **ENGINEERS NETWORK**
nameif Engineers
security-level 100
ip address 10.9.1.1 255.255.0.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name MYDOMAIN.COM
object network CORP
subnet 10.10.2.0 255.255.255.0
object network MAIL_SVR
host 10.10.2.61
object network PPTP_SVR
host 10.10.2.60
object network SECUREWEB_SVR
host 10.10.2.61
object network WEB_SVR
host 10.10.2.61
object network FTP_SVR
host 10.10.2.64
object network Engineers
subnet 10.9.0.0 255.255.0.0
object network Telnet
host 10.10.2.11
object network MAIL2_SVR
host 10.10.2.63
object network WEB3_SVR
host 10.10.2.62
object network MAIL_SVR2
host 10.10.2.63
object network WEB3SEC_SVR
host 10.10.2.62
object network MAILSEC_SVR
host 10.10.2.63
object network RDP
host 10.10.2.69
access-list OUTSIDE_IN extended permit tcp any object SECUREWEB_SVR eq https
access-list OUTSIDE_IN extended permit tcp any object MAIL_SVR eq smtp
access-list OUTSIDE_IN extended permit tcp any object PPTP_SVR eq pptp
access-list OUTSIDE_IN extended permit gre any object PPTP_SVR
access-list OUTSIDE_IN extended permit tcp any object WEB_SVR eq www
access-list OUTSIDE_IN extended permit tcp any object FTP_SVR eq ftp
access-list OUTSIDE_IN extended permit tcp any object Telnet eq telnet
access-list OUTSIDE_IN extended permit tcp any object MAIL2_SVR eq smtp
access-list OUTSIDE_IN extended permit tcp any object WEB3_SVR eq www
access-list OUTSIDE_IN extended permit tcp any object MAIL_SVR2 eq imap4
access-list OUTSIDE_IN extended permit tcp any object WEB3SEC_SVR eq https
access-list OUTSIDE_IN extended permit tcp any object MAILSEC_SVR eq 993
access-list OUTSIDE_IN extended permit tcp any object RDP eq 3389
pager lines 24
mtu outside 1500
mtu Corp 1500
mtu Engineers 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network CORP
nat (Corp,outside) dynamic interface
object network MAIL_SVR
nat (Corp,outside) static interface service tcp smtp smtp
object network PPTP_SVR
nat (Corp,outside) static interface service tcp pptp pptp
object network SECUREWEB_SVR
nat (Corp,outside) static interface service tcp https https
object network WEB_SVR
nat (Corp,outside) static interface service tcp www www
object network FTP_SVR
nat (Corp,outside) static interface service tcp ftp ftp
object network Engineers
nat (Engineers,outside) dynamic interface
object network Telnet
nat (Corp,outside) static 100.XXX.XXX.3 service tcp telnet telnet
object network MAIL2_SVR
nat (Corp,outside) static 100.XXX.XXX.3 service tcp smtp smtp
object network WEB3_SVR
nat (Corp,outside) static 100.XXX.XXX.3 service tcp www www
object network MAIL_SVR2
nat (Corp,outside) static 100.XXX.XXX.3 service tcp imap4 imap4
object network WEB3SEC_SVR
nat (Corp,outside) static 100.XXX.XXX.3 service tcp https https
object network MAILSEC_SVR
nat (Corp,outside) static 100.XXX.XXX.3 service tcp 993 993
object network RDP
nat (Corp,outside) static 100.XXX.XXX.3 service tcp 3389 3389
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 100.XXX.XXX.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 10.10.2.0 255.255.255.0 Corp
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp

I can't spot any errors in

Peter Koltl — Tue, 29 Mar 2016 20:38:48 GMT

I can't spot any errors in the config so the show outputs are needed.

Hello Peter,

gchana2011 — Wed, 30 Mar 2016 08:53:42 GMT

Hello Peter,

As this is no longer a production configuration I'll try and lab this today for you.

Thanks for your time.

Hello Peter,

gchana2011 — Wed, 30 Mar 2016 09:59:06 GMT

Hello Peter,

I labbed this out and this is what I managed to capture.

I used a laptop running PRTG for my web server (10.10.2.61) and a switch configured for telnet access (10.10.2.11) to simulate someone trying to access the 2 different public IP's from the outside.

Here is what I got from the "show connection detail long" when trying to access 100.100.100.3 (the spare IP):

TCP outside:200.200.200.2/57934 (200.200.200.2/57934) Corp:10.10.2.11/23 (100.100.100.3/23), flags SaAB, idle 5s, uptime 14s, timeout 30s, bytes 0

This is what I got when I tried to access the web server (on interface IP 100.100.100.2), which went straight through to the management page:

TCP outside:200.200.200.2/57995 (200.200.200.2/57995) Corp:10.10.2.61/80 (100.100.100.2/80), flags UB, idle 3s, uptime 3s, timeout 1h0m, bytes 0
TCP outside:200.200.200.2/57994 (200.200.200.2/57994) Corp:10.10.2.61/80 (100.100.100.2/80), flags UB, idle 3s, uptime 3s, timeout 1h0m, bytes 0

"Show xlate detail" didn't work for my lab ASA which is on 8.4 so I did a "debug nat 255" instead (not that this is an equivalent command):

nat: untranslation - outside:100.100.100.3/23 to Corp:10.10.2.11/23
nat: untranslation - outside:100.100.100.3/23 to Corp:10.10.2.11/23
nat: untranslation - outside:100.100.100.3/23 to Corp:10.10.2.11/23
nat: policy unlock 0xae29f900, old count is 18
nat: policy lock 0xae29f900, old count is 1

In regards to logs, this is what is displayed in the logging buffer when I try and connect:

%ASA-7-609001: Built local-host Corp:10.10.2.11
%ASA-6-302013: Built inbound TCP connection 170 for outside:200.200.200.2/58473 (200.200.200.2/58473) to Corp:10.10.2.11/23 (100.100.100.3/23)

Also here is what the "show access-list" and "show nat" displayed after the connection:

access-list OUTSIDE_IN line 7 extended permit tcp any object Telnet eq telnet (hitcnt=0) 0xf4e5c00f
access-list OUTSIDE_IN line 7 extended permit tcp any host 10.10.2.11 eq telnet (hitcnt=8) 0xf4e5c00f

1 (Corp) to (outside) source static Telnet 100.100.100.3 service tcp telnet telnet
translate_hits = 0, untranslate_hits = 8

Let me know if you need anything else while I have the lab running.

Thanks again.

I'm avoiding these multiple

Peter Koltl — Thu, 31 Mar 2016 20:56:03 GMT

I'm avoiding these multiple reply threads... (-:

TCP outside:200.200.200.2/57934 (200.200.200.2/57934) Corp:10.10.2.11/23 (100.100.100.3/23), flags SaAB, idle 5s, uptime 14s, timeout 30s, bytes 0

Analysis: everything is all right except that the switch's SYN-ACK reply from port 23 does not reach the firewall. Probably its default gateway is incorrect or it has a telnet-blocking ACL.

In detail:

The line would not even be placed into the connection table if ASA dropped the request. SaA flags inform us about the incomplete TCP handshake. Original and translated IP and port numbers prove that NAT works correctly.

Morning Peter,

gchana2011 — Fri, 01 Apr 2016 09:44:18 GMT

Morning Peter,

Just checked the config on the switch and it looks good. I have given SVI VLAN1 the IP of 10.10.2.11 and configured it correctly for telnet (tested by adding another host behind the firewall and successfully telnetting to the switch). I have also specified 10.10.2.17 as the default gateway (IP of firewall).

There are no ACL's on the switch, the only ones I have are on the ASA, shown previously.

I am also able to ping the "internet host" of 200.200.200.2, specifying the source IP of the SVI from the switch, so there definitely is reachability.

Any ideas?