topic Re: How to do This nat server thing in Network Security

How to do This nat server thing

pskipton01 — Mon, 11 Mar 2019 18:55:46 GMT

I have two servers on one network http ftp and port 8080

192.168.2.100 http,ftp and 192.168.2.101 port 8080

I want to use one public address to access these servers 24.222.224.218 but cannot figure out how to allow this, it gives me

the server address config overlaps with an existing translation rule.

Any help would be appreciated, this is on an asa 5505 8.3

Re: How to do This nat server thing

mirober2 — Mon, 18 Oct 2010 13:22:35 GMT

Hi Perry,

You can do this with the following config:

object network obj-192.168.2.100-www
     host 192.168.2.100
     nat (inside,outside) static 24.222.224.218 service tcp 80 80
 object network obj-192.168.2.100-ftp
    
 host 192.168.2.100
     nat (inside,outside) static 24.222.224.218 service tcp 21 21
object network object-192.168.2.101
     host 192.168.2.101
     nat (inside,outside) static 24.222.224.218 service tcp 8080 8080

If you still get the overlap error with these commands, please post the output of 'show run object' and 'show run nat'.

Hope that helps.

-Mike

Re: How to do This nat server thing

pskipton01 — Sat, 23 Oct 2010 13:17:55 GMT

Now I cant get it to see a web server

from outside and also the web server cant see out. I have posted my config can someone assi

st?

This is only a test setup so I left most IP's in

Result of the command: "Show run"

: Saved
:
ASA Version 8.3(1)
!
hostname pskipton
domain-name AVC
enable password IKxxneNMTRgDw/Xd encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.222.XXX.XXX 255.255.255.248
!
interface Vlan12
nameif test
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns server-group DefaultDNS
domain-name AVC
object network 192.168.1.0
subnet 0.0.0.0 0.0.0.0
object network A_24.222.XXX.220
host 24.222.XXX.220
object network PublicServer_NAT1
host 192.168.5.100
object network 192.168.5.0
subnet 192.168.5.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
protocol-object ip
access-list outside_access extended permit tcp any host 192.168.5.100 eq www
access-list outsidein standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu test 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
!
object network 192.168.1.0
nat (inside,outside) dynamic interface
object network PublicServer_NAT1
nat (test,outside) static A_24.222.XXX.XXX
object network 192.168.5.0
nat (test,outside) dynamic interface
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 24.222.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http server idle-timeout 60
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd dns 24.222.0.96 24.222.0.97
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!

threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
username pskipton password xJ9t9jwcg/1YgcqF encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:77952a320e0b3abea34c25a61c55e355
: end

Re: How to do This nat server thing

apothula — Sat, 23 Oct 2010 13:35:56 GMT

Hi Perry,

From the latest configuration you pasted here,I see that you have only created a Static NAT for the 192.168.5.100 machine.

But, we need to create Static PAT rules to get it work according to our requirement.

Please add NAT rules as Mirober suggested and everything should be fine.

Also, please remove the NAT configuration you added,

object network PublicServer_NAT1
nat (test,outside) static A_24.222.XXX.XXX

no object network PublicServer_NAT

Then add the NAT rules as suggested by Mirober.

Cheers,

Nash.

Re: How to do This nat server thing

pskipton01 — Sat, 23 Oct 2010 14:36:29 GMT

At this time I am just getting one working and it isnt cooperating but I think it should from what I have in the config?

I cant even get it to see the web server I have in there.

Re: How to do This nat server thing

pskipton01 — Sat, 23 Oct 2010 14:45:11 GMT

Now I have for the one server on 192.168.5.100,,

I have access to the one machine from outside the network However on this system inside I cant see it what do I need so the 192.168.1.0 network can go out and back into the 24.222.224.220? and then ill work on the second server on port 8080.

Re: How to do This nat server thing

apothula — Sat, 23 Oct 2010 14:56:03 GMT

You might want to add an ACL on the outside interface allowing ftp traffic through.

access-list outside_access_in permit tcp any any eq ftp.

This should get the FTP part to work.

As far as the translation on port 8080 is concerned, as I suggested earlier, we need to change the NAT configuration according to Mirober's suggestion.

Also, we need to add an ACL allowing traffic on TCP port 8080 similar to the line i suggested above.

Cheers,

Nash.

Re: How to do This nat server thing

apothula — Sat, 23 Oct 2010 15:03:33 GMT

Could you please explain your earlier post in better detail ?

Nash

Re: How to do This nat server thing

pskipton01 — Sat, 23 Oct 2010 15:16:02 GMT

show run nat
!
object network 192.168.1.0
nat (inside,outside) dynamic interface
object network 192.168.5.0
nat (test,outside) dynamic interface
object network obj-192.168.5.100-www
nat (test,outside) static 24.222.224.220 service tcp www www
object network obj-192.168.5.100-ftp
nat (test,outside) static interface service tcp ftp ftp
object network obj-192.168.5.101-8080
nat (test,outside) static interface service tcp 8080 8080

show run obj
object network 192.168.1.0
subnet 0.0.0.0 0.0.0.0
object network 192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.5.100-www
host 192.168.5.100
object network obj-192.168.5.100-ftp
host 192.168.5.100
object network obj-192.168.5.101-8080
host 192.168.5.101

show run access-list
access-list outside_access_in extended permit tcp any object 192.168.5.0 eq www
access-list outside_access_in extended permit tcp any object 192.168.5.0 eq ftp
access-list outside_access_in extended permit object tcp-8080 any object 192.168.5.0
access-list outsidein standard permit 192.168.1.0 255.255.255.0
access-list outsidein standard permit 192.168.5.0 255.255.255.0

Now how do I set this up so that its accessable from the 192.168.1.0 network which is the other network on the asa.

Re: How to do This nat server thing

apothula — Sat, 23 Oct 2010 15:16:53 GMT

Perry, I think I understand your point here.

You mean to say that you can access the server from the outside with no issues.

However, when you try to access the server from the Inside Network itself, you are facing problems.

Well, if that is the case, the problem is because of DNS resolution.

There are two scenarios here

1. We are using an external DNS server

Soln : In this case we can use DNS doctoring to resolve the issue.

2. We are using an Internal DNS server

Soln1 : We could either make the DNS server provide the local IP address of the server for DNS queries coming from the inside network.

Soln2 : Create a NAT translation to translation public to private on the inside interface.

Let me know if the information is useful.

Cheers,

Nash.

Re: How to do This nat server thing

pskipton01 — Sat, 23 Oct 2010 15:18:02 GMT

Please see post before yours asking for clarification.. Thanks for all the help by the way

Re: How to do This nat server thing

pskipton01 — Sat, 23 Oct 2010 15:25:02 GMT

I am using an external dns server...24.222.0.96 and 24.222.0.97

Re: How to do This nat server thing

pskipton01 — Sat, 23 Oct 2010 17:27:58 GMT

As a matter of fact I cannot even get from inside out and back to my

outside ip address 24.222.224.220

I can get everywhere else on the internet though.