topic Help with IIS PAT for ASA5510 in Network Security

Help with IIS PAT for ASA5510

shostackr — Tue, 12 Mar 2019 02:15:28 GMT

Ok I am pretty new to CISCO configuration. We recently bought an ASA so that we can secure an IIS server behind it. The IIS Server will be doing http and https. I guess I want to do a static nat to nat the outside fixed IP of the website to an internal address. (I think in CISCO terms it's called a PAT) I am just looking for someone to tell me if I configured it correctly? I think I am very close. The thing I think is wrong is for somereason the global (exernal) and nat (internal) for some reason are labeled 101? Should that be changed to something different? Any help you would provide would be sorely appreciated from a newbie like me. I think I am close, but only a trained eye could tell me how close.

Thanks in advance!

ASA Version 8.2(5)
!
hostname ciscoasa

!
interface Ethernet0/0
nameif External
security-level 0
ip address (External WEBSITE FIXEDIP) 255.255.255.0
!
interface Ethernet0/1
nameif Internal
security-level 100
ip address (INTERNAL INTERFACE IP) 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list External_access_in extended permit tcp any host (EXTERNAL FIXED IP) eq www
access-list External_access_in extended permit tcp any host (EXTERNAL FIXED IP) eq https
pager lines 24
logging asdm informational
mtu management 1500
mtu External 1500
mtu Internal 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (External) 101 interface
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,External) tcp interface www (INTERNAL IIS SERVER IP) www netmask 255.255.255.255
static (Internal,External) tcp interface (INTERNAL IIS SERVER IP) https netmask 255.255.255.255
access-group External_access_in in interface External
route External 0.0.0.0 0.0.0.0 (EXTERNAL GATWAY IP OF ISP) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context

Re: Help with IIS PAT for ASA5510

Jouni Forss — Mon, 22 Jul 2013 18:03:02 GMT

Hi,

The "global" and "nat" configuration simply match the source addresses/subnets for the Dynamic NAT or PAT. The ID number used there doesnt really matter in your case.

The type of NAT you ha ve done for the server is called Static PAT

The configuration is otherwise fine but your missing the "https" after the "interface" parameter.

Are you saying that connections from the External network aren't working?

Naturally with HTTPS the problem might be that the ASA uses that port for ASDM GUI management connections. If you want to change the default port of ASDM Management connections you can use the command

http server enable

This should leave the port TCP/443 usable for other purposes on your "External" interface. Though I have to say that I am not sure is there any overlap at the moment. You have not enabled any ASDM management on the "External" interface.

You can also use the "packet-tracer" command to simulate a packet incoming from the External network towards your public IP address on certain port. This will usually tell you if the configurations on the ASA are OK and if the traffic/connections is allowed.

You could use for example

packet-tracer input External tcp 1.1.1.1 12345 80

packet-tracer input External tcp 1.1.1.1 12345 443

Hope this helps

- Jouni

Help with IIS PAT for ASA5510

shostackr — Mon, 22 Jul 2013 18:18:00 GMT

I haven't rolled it out as of yet, I am just trying to see if I got it configured correctly? I am hoping to roll it out and not have to fiddle with it.(as that I really don't have the expertise.)

where do I need the "https" after the "interface" ?

I really don't want any management enabled on my external interface. (only internal and management port mgt access.) Thus I didn't enable on the external port? Will this conflict with my planned configuration?

Thanks for your help!

Re: Help with IIS PAT for ASA5510

Jouni Forss — Mon, 22 Jul 2013 18:23:50 GMT

Hi,

I only meant that you have a typo in the other Static PAT configurations.

This is the above configuration

static (Internal,External) tcp interface www (INTERNAL IIS SERVER IP) www netmask 255.255.255.255

static (Internal,External) tcp interface (INTERNAL IIS SERVER IP) https netmask 255.255.255.255

The Static PAT for the port TCP/443 is lacking the "https" after the "interface" parameter. But as the ASA would not accept the command in its current form I am sure you would notice it eventually.

static (Internal,External) tcp interface https (INTERNAL IIS SERVER IP) https netmask 255.255.255.255

In general the configuration seems ok to me and should work.

Interfaces configured and enabled
Default route configured
Dynamic PAT and Static PAT configured for Internal users
Access-list configured and attached to the External interface

- Jouni