topic Re: Configuring ASA Public servers in Network Security

Configuring ASA Public servers

alanmsv1234 — Mon, 11 Mar 2019 17:54:30 GMT

I have just bought an ASA 5510 and am trying to configure it, but it is not working the way I expect.

I have several internal servers which need to be accessed from the web. If I create a NAT entry for each, and a corresponding access rule, the servers cannot be accessed. If, however, I add the servers in the 'Public Servers' section, it automatically adds the appropriate NAT and Access rule, and it works. My first question is why is this so? Surly adding the NAT and Access rule should work?

Secondly, although it works by adding the servers via Public folders, it only does so by assigning a different public IP for each internal server. I want to assign different ports from one external IP to different internal servers to conserve IP's, but it will not let me do this: adding a server in Public server assigns an IP to that internal server, even though I specify, for example, only smtp as the service. If I try to add another Public server, say http, to another internal machine, it says the external address overlaps with another in use. This can be done by configuring NAT and Access Rule directly, but this doesn't work. I can only access my servers by doing it via Public Servers. is this by design, or am I doing something wrong??

Re: Configuring ASA Public servers

Federico Coto Fajardo — Thu, 03 Jun 2010 16:26:37 GMT

Alan,

To see if you're doing something wrong, please post the output of the following lines from the ASA:

sh run static

sh run access-group

sh run access-list

You can change your sensitive information before posting.

Federico.

Re: Configuring ASA Public servers

alanmsv1234 — Thu, 03 Jun 2010 16:50:23 GMT

MSV-ASA# sh run static
static (Inside,Outside) tcp xxx.29 pptp Fileserver pptp netmask 255.255.255.255
static (DMZ,Outside) tcp xxx.27 imap4 pop.m.org imap4 netmask 255.255.255.255
static (DMZ,Outside) tcp xxx.27 pop3 pop.m.org pop3 netmask 255.255.255.255
static (DMZ,Outside) tcp xxx.27 smtp CentOs smtp netmask 255.255.255.255
static (Inside,Outside) xxx.28 Commserver netmask 255.255.255.255

MSV-ASA# sh run access-group
access-group Outside_access_in in interface Outside

MSV-ASA# sh run access-list
access-list Outside_access_in extended permit tcp any host CentOs eq smtp
access-list Outside_access_in extended permit tcp any host xxx.29 eq pptp
access-list Outside_access_in extended permit tcp object-group Webroot host xxx.28 eq smtp
access-list Outside_access_in extended permit tcp any host xxx.28 object-group DM_INLINE_TCP_0
access-list Outside_access_in extended permit tcp any host Fileserver eq pptp
access-list Outside_access_in extended permit tcp any host pop.m.org object-group DM_INLINE_TCP_1

Re: Configuring ASA Public servers

Federico Coto Fajardo — Thu, 03 Jun 2010 16:58:10 GMT

Thank you,

You can share the same public IP address with multiple internal addresses if doing static PAT and that's what you're doing:

static (in,out) tcp public_IP port internal_IP port

You can have the above line multiple times for the same public_IP and for different internal IPs as long as using different ports.

You say the configuration that you posted here works? Or which line(s) gives you problems?

Federico.

Re: Configuring ASA Public servers

alanmsv1234 — Thu, 03 Jun 2010 17:04:32 GMT

That config does not work, but I think I've spotted the flaw:

it works if the destination of the access rule is the external IP of the internal server, but does not work if the destination is specified as the internal server (in this case centos). This seems somewhat counter-intuitive to me, and different from the ISR routers, where you do specify the internal name/ip.

I have done all config via the ASDM, not CLI. I am assuming the Public servers config option is a 'user friendly' way of doing the nat and access list in one go?

Re: Configuring ASA Public servers

Federico Coto Fajardo — Thu, 03 Jun 2010 17:12:20 GMT

Yes, you're right.

On the ACLs, the outside (public) IP address needs to be defined.

If you define the private IP on the ACL (for incoming traffic) it will not work because the only IP visible to the Internet is the outside IP.

Actually just as a side note, this is a new improvement on version 8.3

Using 8.3 you can define the private real address on the incoming ACL, so that if you need to change the public IP, you don't need to modify the ACL each time.

Federico.

Re: Configuring ASA Public servers

alanmsv1234 — Fri, 04 Jun 2010 08:03:34 GMT

So, if I upgrade from 8.2 to 8.3, I could use the internal names/ip's in my ACLs? As you say, this would be much more flexible, as I do indeed plan to change external IP scheme eventually.

Re: Configuring ASA Public servers

Federico Coto Fajardo — Fri, 04 Jun 2010 15:44:57 GMT

Yes, but before attempting the upgrade to 8.3 you need to consider that the NAT configuration changed completely, the entire configuration is more object-group oriented than before, etc. You need extra memory also.

Please review this information prior going to 8.3

Migration guide to 8.3

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Release notes

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html

Federico.