topic Need Help on one Firewall Question in Network Security

Need Help on one Firewall Question

jaskamboj — Tue, 12 Mar 2019 02:10:40 GMT

Hi All,

I am using cisco asa in my environment and which is connected to l2. One server and one router is also connected to L2. Now i want to access port 80 on my server from outside.

How its possible if the server gateway is routers ip and i don't want to add static route in router or server towards the firewall. Nat and access List is done on firewall. what else i can do on firewall to access port 80 of my server from outside. Dont want to change anything on router/server.

Below is the IP detail

1. Firewall inside 192.168.1.1 & Outside 1.1.1.1

2. Router IP - 192.168.1.2

3. Server IP - 192.168.1.3 & GW - 192.168.1.2

Need Help on one Firewall Question

Jouni Forss — Wed, 10 Jul 2013 18:20:15 GMT

Hi,

According to your explanation the packets would arrive on the ASA and reach the server but the server would forward them through the router which would then probably forward them through another Internet connection or what is the default gateway of the router?

If its something else than the ASA then the connections will fail.

- Jouni

Need Help on one Firewall Question

jaskamboj — Wed, 10 Jul 2013 18:38:18 GMT

Hi Jouni,

Thanks for Reply

Yes the default gateway is something else than the ASA and the connection getting failed. But is there any configuration which we can done on firewall to make it work. I hear from someone that we can done some mapping on firewall with that server and it should work even if the default gateway of server is different. and if the GW of router is not asa.

Need Help on one Firewall Question

Jouni Forss — Wed, 10 Jul 2013 18:40:33 GMT

Hi,

What is the software level of your firewall?

- Jouni

Need Help on one Firewall Question

jaskamboj — Wed, 10 Jul 2013 18:46:29 GMT

Hi,

Its Pix Firewall 7.2

Re: Need Help on one Firewall Question

Jouni Forss — Wed, 10 Jul 2013 18:55:14 GMT

Hi,

Well the only ways I could think that the connections could be gotten working would be

Policy Based Routing on the Router that would forward the web servers traffic through the firewall instead of the routers default gateway (even just the return traffic for web connections)
Configuring NAT on the ASA firewall so that all traffic from the Internet would be NATed to an internal IP address from the network 192.168.1.0/24. This would mean that the server would be sending the traffic to ASA instead of using its default gateway. And this is ofcourse because the server would be seeing all connections coming from its connected network and wouldnt have to use the default gateway.

You havent mentioned what type of NAT you are doing on the ASA for the server Static PAT or Static NAT. Static PAT would be forwarding a single (or several ports) only while Static NAT would be dedicating a single public IP address for the server.

I would imagine that you would have to configure 2 separate NAT statements

Dynamic Policy PAT for the External hosts

This should NAT all traffic coming from the Internet to the IP address of your ASAs "inside" interface WHEN the destination is the public IP address of your Web server.

access-list POLICY-NAT-WEBSERVER remark NAT inbound web traffic to an internal IP address

access-list POLICY-NAT-WEBSERVER permit tcp any host 1.1.1.1 eq 80

nat (outside) 100 access-list POLICY-NAT-WEBSERVER

global (inside) 100 interface

Static NAT or Static PAT for Web server

Either of these NAT configurations should forward the connections to your Web servers public IP address on port TCP/80 to the Web server.
Together with the above NAT configuration the return traffic from the Web server should flow back through the ASA.

static (inside,outside) 1.1.1.1 192.168.1.3 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.1 80 192.168.1.3 80 netmask 255.255.255.255

If you are using the public IP address on the ASA "outside" interface then replace the 1.1.1.1 with "interface". The IP address 1.1.1.1 stands for a public IP address that you might use.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Need Help on one Firewall Question

jaskamboj — Wed, 10 Jul 2013 19:16:52 GMT

Hi,

Have done the following configuration only.

static (inside,outside) tcp 1.1.1.1 80 192.168.1.3 80 netmask 255.255.255.255

access-list server permit tcp any host 192.168.1.3 eq 80

Now according to you need to add Dynamic policy as well for external hosts.

Will try and reply you.

Thanks

Need Help on one Firewall Question

Jouni Forss — Wed, 10 Jul 2013 19:20:08 GMT

Hi,

Yes, the Static PAT (Port Forward) that you have configured will forward the traffic to your Web server but the return traffic will still be forwarded to the router by the web server and the connections will fail.

However, if we configure the Dynamic Policy PAT which NATs any users on the Internet to your firewalls "inside" interface local IP address then the Web server will send the return traffic there since host communicating in the same subnet will always send the traffic directly to eachother.

- Jouni

Need Help on one Firewall Question

jaskamboj — Thu, 11 Jul 2013 13:32:09 GMT

Hi Jouni,

Have tried but no luck. Below is my configuration.

interface GigabitEthernet0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

interface GigabitEthernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

object network WEBSERVER

host 192.168.1.3

access-list WEBSERVER extended permit tcp any host 192.168.1.3 eq www

access-list WEBSERVER extended permit tcp any host 1.1.1.1 eq www

object network WEBSERVER

nat (inside,outside) static interface service tcp www www

access-group WEBSERVER in interface outside

nat (outside) 100 access-list WEBSERVER

global (inside) 100 interface

Need Help on one Firewall Question

jaskamboj — Thu, 11 Jul 2013 13:52:53 GMT

Have tried this on ASA version 8.4

Need Help on one Firewall Question

Jouni Forss — Thu, 11 Jul 2013 16:20:51 GMT

Hi,

You said you had PIX 7.2?

The NAT configuration format I provided only works up to software level 8.2

At 8.3 and after the configuration format is totally different.

Which one are you using?

- Jouni

Need Help on one Firewall Question

jaskamboj — Thu, 11 Jul 2013 18:17:03 GMT

Hi,

Today i have tried on ASA with software version 8.4.

Need Help on one Firewall Question

Jouni Forss — Thu, 11 Jul 2013 18:40:13 GMT

Hi,

In the new format you might be able to do both of the NAT configurations with a single "nat" command

object network WEBSERVER

host 192.168.1.3

object service WWW

service tcp source eq www

nat (inside,outside) source static WEBSERVER interface destination static interface any service WWW WWW

This should both do Static PAT for your Webserver and translate any source address on the Internet to the "inside" interface IP address WHEN they access your Web server through TCP/80

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Need Help on one Firewall Question

jaskamboj — Sat, 13 Jul 2013 06:33:55 GMT

Hi Jouni,

Thanks Alot for help. Its working fine now.

Can you please share me the commands for Version 7.2 also.

Need Help on one Firewall Question

Jouni Forss — Sat, 13 Jul 2013 14:19:03 GMT

Hi,

I provided that configuration in the earlier replies. The ones done with "static" , "nat" and "global" configurations.

I have not tested the setup myself but it would seem like the only way to do it that I can think of at the moment.

Please do remember to mark a reply as the correct answer if it has answered your question.

- Jouni

Need Help on one Firewall Question

jaskamboj — Sat, 13 Jul 2013 18:22:14 GMT

Hi Jouni,

Have tried with earlier configuration but no luck..

Need Help on one Firewall Question

Jouni Forss — Sat, 13 Jul 2013 19:08:16 GMT

If you have those old NAT format configurations on your PIX firewall then I would like to see the output of a "packet-tracer" command simulating a connection coming for your webserver

It would be something like this

packet-tracer input outside tcp 123.123.123.123 12345 80

This should tell us what NAT rules are matched on the firewall for such a connection. Just enter your public IP address used for the Web servers NAT command.

- Jouni

Need Help on one Firewall Question

jaskamboj — Mon, 15 Jul 2013 08:22:16 GMT

Hi,

Please find the bleow report.

packet-tracer input outside tcp 1.1.1.2 www 1.1.1.1 www

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255

match tcp inside host 192.168.1.3 eq 80 outside any

static translation to 1.1.1.1/80

translate_hits = 0, untranslate_hits = 10

Additional Information:

NAT divert to egress interface inside

Untranslate 1.1.1.1/80 to 192.168.1.3/80 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group WEBSERVER in interface outside

access-list WEBSERVER extended permit tcp any host 1.1.1.1 eq www

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255

match tcp inside host 192.168.1.3 eq 80 outside any

static translation to 1.1.1.1/80

translate_hits = 0, untranslate_hits = 10

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255

match tcp inside host 192.168.1.3 eq 80 outside any

static translation to 1.1.1.1/80

translate_hits = 0, untranslate_hits = 10

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 10, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Need Help on one Firewall Question

Jouni Forss — Mon, 15 Jul 2013 09:19:30 GMT

Hi,

Only situation where I managed to get this working was when I configured

static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255

global (inside) 100 interface

nat (outside) 100 0.0.0.0 0.0.0.0 outside

I tried to configure Dynamic Policy PAT on the "outside" -> "inside" but it didnt seem to work.

- Jouni