topic Re: ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet in Network Security

ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

software_onbekend — Fri, 21 Feb 2020 15:41:00 GMT

Hello everyone,

I hope I can get some help with my configuration of my ASA.

The current situation:

5 Public IP addresses.

2 Servers that needs to connect to the internet.

Server1 is already connect to the internet at the 2nd Public IP.

Server2 needs to be connected the internet with multiple ports (5001 to 5001 & 2222 to 2222) at the 1st Public IP address, so it can be accessed from the WAN site.

But at this moment I can't even get it working with just 1 port.

I tried several NAT rules but nothing seams to work.

Can someone guide me into the right direction?

Have a nice day.

S.O.

ASA Version 9.4(4)16
!
hostname ASA-5515
domain-name xxxxxxx.local
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
ip local pool VPN-Clients 172.17.2.1-172.17.2.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
description WAN Interface
nameif outside
security-level 0
ip address 1st Public IP 255.255.255.248
!
interface GigabitEthernet0/1
description LAN Interface
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.3
description DMZ
vlan 3
nameif inside_vlan3
security-level 100
ip address 172.16.0.254 255.255.255.0
!
interface GigabitEthernet0/1.250
description Management
vlan 250
nameif inside_vlan250
security-level 100
ip address 192.168.250.254 255.255.255.0
!
interface GigabitEthernet0/1.251
description Server
vlan 251
nameif inside_vlan251
security-level 100
ip address 192.168.251.254 255.255.255.0
!
interface GigabitEthernet0/1.252
description Printer
vlan 252
nameif inside_vlan252
security-level 100
ip address 192.168.252.254 255.255.255.0
!
interface GigabitEthernet0/1.253
description Test
vlan 253
nameif inside_vlan253
security-level 100
ip address 192.168.253.254 255.255.255.0
!
interface GigabitEthernet0/1.254
description Guest
vlan 254
nameif inside_vlan254
security-level 100
ip address 192.168.254.254 255.255.255.0
!
interface GigabitEthernet0/1.255
description Production
vlan 255
nameif inside_vlan255
security-level 100
ip address 192.168.255.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa944-16-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
domain-name xxxxxx.local
object network inside_vlan255
subnet 192.168.255.0 255.255.255.0
object network inside_vlan254
subnet 192.168.254.0 255.255.255.0
object network inside_vlan253
subnet 192.168.253.0 255.255.255.0
object network inside_vlan252
subnet 192.168.252.0 255.255.255.0
object network inside_vlan251
subnet 192.168.251.0 255.255.255.0
object network inside_vlan250
subnet 192.168.250.0 255.255.255.0
object network Server1_TCP_8080-80
host 172.16.0.1
object network Server1-external-ip
host 2nd Public IP
object network inside_vlan3
subnet 172.16.0.0 255.255.255.0
object network Server1_TCP_eq_5001
host 172.16.0.1
object network Server1
host 172.16.0.1
object service 445
service tcp destination eq 445
object service 8080-80
service tcp source eq www destination eq 8080
object network Server2
host 192.168.253.2
object network Server1-external-ip
host 1st Public IP
object network Server2_TCP_eq_5001
host 192.168.253.2
object network Server2_TCP_eq_2222
host 192.168.253.2
object service 2222
service tcp source eq 2222 destination eq 2222
object service 5001
service tcp source eq 5001 destination eq 5001
object-group network RFC_1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group user VPN-Client
description Use of Cisco VPN Client
user LOCAL\user1
access-list outside_in extended permit tcp any object Server1_TCP_8080-80 eq 8080
access-list outside_in extended permit tcp any object Server1_TCP_eq_5001 eq 5001
access-list outside_in extended permit tcp object Server2-external-ip object Server2_TCP_eq_5001 eq 5001
access-list VPN-Clients_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging facility 16
mtu outside 1500
mtu inside_vlan3 1500
mtu inside_vlan250 1500
mtu inside_vlan251 1500
mtu inside_vlan252 1500
mtu inside_vlan253 1500
mtu inside_vlan254 1500
mtu inside_vlan255 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside_vlan255
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside_vlan255
nat (inside_vlan255,outside) dynamic interface
object network inside_vlan254
nat (inside_vlan254,outside) dynamic interface
object network inside_vlan253
nat (inside_vlan253,outside) dynamic interface
object network Server1_TCP_8080-80
nat (inside_vlan3,outside) static Server1-external-ip service tcp 8080 www
object network inside_vlan3
nat (inside_vlan3,outside) dynamic 2nd Public IP
object network Server1_TCP_eq_5001
nat (inside_vlan3,outside) static Server1-external-ip service tcp 5001 5001
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 ISP Gateway 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http server idle-timeout 60
http 192.168.255.0 255.255.255.0 inside_vlan255
http 192.168.253.0 255.255.255.0 inside_vlan253
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.253.0 255.255.255.0 inside_vlan253
ssh 192.168.255.0 255.255.255.0 inside_vlan255
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
vpn-addr-assign local reuse-delay 1
dhcpd address 172.16.0.100-172.16.0.102 inside_vlan3
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan3
dhcpd option 3 ip 172.16.0.254 interface inside_vlan3
dhcpd enable inside_vlan3
!
dhcpd address 192.168.253.100-192.168.253.150 inside_vlan253
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan253
dhcpd option 3 ip 192.168.253.254 interface inside_vlan253
dhcpd enable inside_vlan253
!
dhcpd address 192.168.254.100-192.168.254.150 inside_vlan254
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan254
dhcpd option 3 ip 192.168.254.254 interface inside_vlan254
!
dhcpd address 192.168.255.100-192.168.255.150 inside_vlan255
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan255
dhcpd option 3 ip 192.168.255.254 interface inside_vlan255
dhcpd enable inside_vlan255
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default custom "DHE-RSA-AES256-SHA:AES256-SHA"
ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA"
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA"
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ssl-client
group-policy VPN-Clients internal
group-policy VPN-Clients attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-Clients_splitTunnelAcl
default-domain value hoekstra.local
dynamic-access-policy-record DfltAccessPolicy
username user1 password xxxxx encrypted
username user1 attributes
service-type remote-access
username xxxxxxxxxxxx password xxxxxxx encrypted privilege 15
tunnel-group VPN-Clients type remote-access
tunnel-group VPN-Clients general-attributes
address-pool VPN-Clients
default-group-policy VPN-Clients
tunnel-group VPN-Clients ipsec-attributes
ikev1 pre-shared-key *****
!
class-map dcerpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 16
subscribe-to-alert-group configuration periodic monthly 16
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6632ef964518bf7caeca3ef85c8fe152
: end
ASA-5515#

Re: ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

Marius Gunnerud — Sun, 29 Apr 2018 09:29:08 GMT

Try running a packet tracer to see which NAT rules it is hitting

packet-tracer input outside tcp 8.8.8.8 12345 **server public IP** 5001

Re: ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

software_onbekend — Sun, 29 Apr 2018 10:43:40 GMT

Hello Marius,

Thank for your time 🙂

Hereby the results

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop "1st Public IP" using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

Marius Gunnerud — Sun, 29 Apr 2018 11:33:13 GMT

Could you also run the command for port 8080?

packet-tracer input outside tcp 8.8.8.8 12345 **server public IP** 8080

Re: ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

software_onbekend — Sun, 29 Apr 2018 11:46:45 GMT

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop **1st Public IP** using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

Marius Gunnerud — Sun, 29 Apr 2018 11:56:56 GMT

Is the configuration above the full configuration of the ASA or did you leave out something?

Please try moving the NAT statements to manual NAT section.

Re: ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

software_onbekend — Sun, 29 Apr 2018 14:40:12 GMT

Hi Marius,

It is the full configuration. I did only an cleanup for security,

What do you mean with "Please try moving the NAT statements to manual NAT section."?

I did a clean up of the config.

So we can start from scratch.

Can you guide me stap by step?

Thanks in advance.

S.O.

Goal:

Access the inside "Server2" (IP 192.168.253.2:5001) from the "1st Public IP" (also the IP address for the outside interface) on port 5001

Hereby the current configuration.

ASA-5515# show run
: Saved

:
: Serial Number: xxxxxxx
: Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(4)16
!
hostname ASA-5515
domain-name xxxxxxx.local
enable password xxxxxxx encrypted
passwd xxxxxxx encrypted
names
ip local pool VPN-Clients 172.17.2.1-172.17.2.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
description WAN Interface
nameif outside
security-level 0
ip address **1st Public IP** 255.255.255.248
!
interface GigabitEthernet0/1
description LAN Interface
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.3
description DMZ
vlan 3
nameif inside_vlan3
security-level 100
ip address 172.16.0.254 255.255.255.0
!
interface GigabitEthernet0/1.250
description Management
vlan 250
nameif inside_vlan250
security-level 100
ip address 192.168.250.254 255.255.255.0
!
interface GigabitEthernet0/1.251
description Server
vlan 251
nameif inside_vlan251
security-level 100
ip address 192.168.251.254 255.255.255.0
!
interface GigabitEthernet0/1.252
description Printer
vlan 252
nameif inside_vlan252
security-level 100
ip address 192.168.252.254 255.255.255.0
!
interface GigabitEthernet0/1.253
description Test
vlan 253
nameif inside_vlan253
security-level 100
ip address 192.168.253.254 255.255.255.0
!
interface GigabitEthernet0/1.254
description Guest
vlan 254
nameif inside_vlan254
security-level 100
ip address 192.168.254.254 255.255.255.0
!
interface GigabitEthernet0/1.255
description Production
vlan 255
nameif inside_vlan255
security-level 100
ip address 192.168.255.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa944-16-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
domain-name hoekstra.local
object network inside_vlan255
subnet 192.168.255.0 255.255.255.0
object network inside_vlan254
subnet 192.168.254.0 255.255.255.0
object network inside_vlan253
subnet 192.168.253.0 255.255.255.0
object network inside_vlan252
subnet 192.168.252.0 255.255.255.0
object network inside_vlan251
subnet 192.168.251.0 255.255.255.0
object network inside_vlan250
subnet 192.168.250.0 255.255.255.0
object network DS509_TCP_8080-80
host 172.16.0.1
object network DS509-external-ip
host **2nd Public IP**
object network inside_vlan3
subnet 172.16.0.0 255.255.255.0
object network DS509_TCP_eq_5001
host 172.16.0.1
object network DS509
host 172.16.0.1
object service 5001
service tcp source eq 5001 destination eq 5001
object-group network RFC_1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group user VPN-Client
description Use of Cisco VPN Clinet
user LOCAL\user1
access-list outside_in extended permit tcp any object DS509_TCP_8080-80 eq 8080
access-list outside_in extended permit tcp any object DS509_TCP_eq_5001 eq 5001
access-list VPN-Clients_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging facility 16
mtu outside 1500
mtu inside_vlan3 1500
mtu inside_vlan250 1500
mtu inside_vlan251 1500
mtu inside_vlan252 1500
mtu inside_vlan253 1500
mtu inside_vlan254 1500
mtu inside_vlan255 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any inside_vlan255
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside_vlan255
nat (inside_vlan255,outside) dynamic interface
object network inside_vlan254
nat (inside_vlan254,outside) dynamic interface
object network inside_vlan253
nat (inside_vlan253,outside) dynamic interface
object network DS509_TCP_8080-80
nat (inside_vlan3,outside) static DS509-external-ip service tcp 8080 www
object network inside_vlan3
nat (inside_vlan3,outside) dynamic **2nd Public IP**
object network DS509_TCP_eq_5001
nat (inside_vlan3,outside) static DS509-external-ip service tcp 5001 5001
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 **ISP Gateway** 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http server idle-timeout 60
http 192.168.255.0 255.255.255.0 inside_vlan255
http 192.168.253.0 255.255.255.0 inside_vlan253
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.253.0 255.255.255.0 inside_vlan253
ssh 192.168.255.0 255.255.255.0 inside_vlan255
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
vpn-addr-assign local reuse-delay 1
dhcpd address 172.16.0.100-172.16.0.102 inside_vlan3
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan3
dhcpd option 3 ip 172.16.0.254 interface inside_vlan3
dhcpd enable inside_vlan3
!
dhcpd address 192.168.253.100-192.168.253.150 inside_vlan253
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan253
dhcpd option 3 ip 192.168.253.254 interface inside_vlan253
dhcpd enable inside_vlan253
!
dhcpd address 192.168.254.100-192.168.254.150 inside_vlan254
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan254
dhcpd option 3 ip 192.168.254.254 interface inside_vlan254
!
dhcpd address 192.168.255.100-192.168.255.150 inside_vlan255
dhcpd dns 8.8.8.8 8.8.4.4 interface inside_vlan255
dhcpd option 3 ip 192.168.255.254 interface inside_vlan255
dhcpd enable inside_vlan255
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default custom "DHE-RSA-AES256-SHA:AES256-SHA"
ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA"
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA"
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ssl-client
group-policy VPN-Clients internal
group-policy VPN-Clients attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-Clients_splitTunnelAcl
default-domain value hoekstra.local
dynamic-access-policy-record DfltAccessPolicy
username user1 password xxxxxxx encrypted
username user1 attributes
service-type remote-access
username xxxxxxx password xxxxxxx encrypted privilege 15
tunnel-group VPN-Clients type remote-access
tunnel-group VPN-Clients general-attributes
address-pool VPN-Clients
default-group-policy VPN-Clients
tunnel-group VPN-Clients ipsec-attributes
ikev1 pre-shared-key *****
!
class-map dcerpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 16
subscribe-to-alert-group configuration periodic monthly 16
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1bbb66e29a8ee4a88fa0cab3345bb827
: end
ASA-5515#

Re: ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

Marius Gunnerud — Sun, 29 Apr 2018 15:37:04 GMT

I set this up in my home lab and got it working with the following config:

object network DS509
host 172.16.0.1
object network PUBLIC-IP
host 62.1.1.1
object service TCP_5001
service tcp source eq 5001
access-list outside-in extended permit tcp any host 172.16.0.1 eq 5001

nat (Inside,Outside) source static DS509 PUBLIC-IP service TCP_5001 TCP_5001
access-group outside-in in interface Outside

ASA# show conn
1 in use, 1 most used
TCP Outside 192.1.20.2:62709 Inside 172.16.0.1:5001, idle 0:00:05, bytes 4036, flags UIOB

Re: ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

software_onbekend — Sun, 29 Apr 2018 16:15:53 GMT

HI Marius,

The config you show me is a config from the DMZ zone.

That was already working 🙂

I was looking for a solution to get the port 5001 & 2222 to the inside IP 192.168.253.2 working.

That has to link to the 1st Public IP address. (is also the outside interface)

So I did the following:

object network Server2

host 192.168.253.2

object network Server2_external_ip

host **1st Public IP**

object service TCP_5001

service tcp source eq 5001

access-list outside_in extended permit tcp any host 192.168.253.2 eq 5001

At this point everything looks fine.

nat (inside-vlan253,outside) source static Server2 **1st Public IP** service TCP_5001 TCP_5001

ERROR: Address **1st Public IP** overlaps with outside interface address.

ERROR: NAT Policy is not downloaded.

So here it goes wrong.

S.O.

Re: ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

Marius Gunnerud — Sun, 29 Apr 2018 16:50:55 GMT

This is a typical error you would get if you are using an object that is configured with the ASA interface IP you are trying to NAT to. Use the interface keyword instead of the object.

Re: ASA Access-List & NAT Ruls Multiple Public IP addresses to expose a server to the internet

software_onbekend — Sun, 29 Apr 2018 17:34:16 GMT

Hi Marius,

nat (inside_vlan253,outside) source static Server2 interface service TCP_5001 TCP_5001

and

object service TCP_5001
service tcp source eq 5001

Did the trick 🙂

I was working with the service object:

object service 5001
service tcp source eq 5001 destination eq 5001

That was'n working. I don't know why. Most likely not enough knowledge from my side.

Now I will try myself, to get a second port to open. (2222)

Thanks for the help so far 🙂

S.O.