Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
824
Views
0
Helpful
10
Replies

Firewall Static NAT Issue

Go to solution
FloridaGAL
Level 1
Level 1

‎02-12-2016 05:24 AM - edited ‎03-12-2019 12:17 AM

I have a server inside my network that I want users to be able to access from the outside.  To this end, I have setup a static nat between my internal address for this server (10.7.64.27) and one of the public ip addresses I have available (public2).  Public1 is the outside address assigned to the interface.

The problem I am having is in my routing and ACLs.  I created and extended ACL that was something like this:

Text
per ip host 10.7.64.255 host public 2

and a route that is something like this:

Text
ip route 10.7.64.27 0.0.0.0 0.0.0.0 public 2


But I am having no joy.  The system deployed on this server is 100% ready to go but I can't get the hole poked in our ASA to make access happen.  Can you fine folks assist me

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to FloridaGAL

‎02-12-2016 06:24 AM

The acl statement should read -

"access-list <name> permit ip any host <public IP>"

although it is more secure if instead of "permit ip" you specified the port number(s).

Do you know them ?

That acl is then applied to the outside interface inbound although like I say you may well already have one ?

As for the routing you originally said public 1 was assigned to the outside interface of your ASA so the default route on the ASA will not use that as the next hop, it would be an IP address upstream on the ISP router.

If public 2 is from the same IP subnet as the IP assigned to the outside interface of your ASA you should not need a route because if a client on the internet sends traffic to public 2 the ISP will arp for that IP and your ASA will respond with the outside interface mac address.

Then when the ASA receives the packet it translates the public IP to the real server IP and forwards it to the server.

Does that make sense or am I not understanding your setup ?

Jon

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-12-2016 05:48 AM

I don't understand your acl or route entries and I don't think you need a route.

As for the acl it should allow a source of any (internet IPs) to the private IP of the server and you can specify the port in the acl.

That acl obvbiously needs to be applied to the outside interface in an inbound direction and you may well have an acl already so just add it to that.

Edit - I am assuming you are using a version of software 8.3 or later.

Jon

0 Helpful

Go to solution
FloridaGAL
Level 1
Level 1
In response to Jon Marshall

‎02-12-2016 06:00 AM

Our ASA uses 8.25.

The default route in the box points to public1, that is why I feel I need a route to ensure that appliance box I have will send traffic to public2, which is the ip the users would go to to use this appliance.

As to the ACL I can modify accordingly and see what happens.  I'll report back.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to FloridaGAL

‎02-12-2016 06:05 AM

Okay with 8.2 you need to use the public IP not the real IP of the server.

I am still not understanding the routing part.

What box do you mean when you say it points to the IP on the outside interface of your ASA ?

Is the public IP you are using for the server part of the same range ?

Just not sure where you are adding a route and what it is meant to achieve ?

Jon

0 Helpful

Go to solution
FloridaGAL
Level 1
Level 1
In response to Jon Marshall

‎02-12-2016 06:13 AM

In our ASA, the default route points all traffic to public 1.  However, for the appliance inside the network users will be accessing it via public 2.  I have created a static nat between the appliance private address and public 2.

You are saying that for the ACL statement I need to have a

per ip host public 2 any

applied to inbound traffic on the outside interface?

I *think* I need to add a route because otherwise the default route of the ASA will point the traffic from the appliance out to the wrong public IP.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to FloridaGAL

‎02-12-2016 06:24 AM

The acl statement should read -

"access-list <name> permit ip any host <public IP>"

although it is more secure if instead of "permit ip" you specified the port number(s).

Do you know them ?

That acl is then applied to the outside interface inbound although like I say you may well already have one ?

As for the routing you originally said public 1 was assigned to the outside interface of your ASA so the default route on the ASA will not use that as the next hop, it would be an IP address upstream on the ISP router.

If public 2 is from the same IP subnet as the IP assigned to the outside interface of your ASA you should not need a route because if a client on the internet sends traffic to public 2 the ISP will arp for that IP and your ASA will respond with the outside interface mac address.

Then when the ASA receives the packet it translates the public IP to the real server IP and forwards it to the server.

Does that make sense or am I not understanding your setup ?

Jon

0 Helpful

Go to solution
FloridaGAL
Level 1
Level 1
In response to Jon Marshall

‎02-12-2016 06:25 AM

Sounds like you have it. Public 1 and Public 2 are on the same subnet.  So... should be as simple as putting the correct ACL in place in the right location.  I'll give that a try and see what happens.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to FloridaGAL

‎02-12-2016 06:26 AM

No problem.

I would recommend using the actual port numbers in your acl rather than just allowing all IP to the server.

Jon

0 Helpful

Go to solution
FloridaGAL
Level 1
Level 1
In response to Jon Marshall

‎02-12-2016 06:29 AM

I'll clean it up once I confirm that I have everything working.

0 Helpful

Go to solution
FloridaGAL
Level 1
Level 1
In response to Jon Marshall

‎02-12-2016 06:50 AM

Well,  my appliance can now ping out, which is positive.  When I go to Public 2 on port 443, I get a tomcat webserver page.  I'm wondering if there is a configuration problem on the appliance side now.  I'll have to check with my coworker who set this up.

I feel though the networking issue is solved.  Thank you much Jon for your help!

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to FloridaGAL

‎02-12-2016 07:47 AM

Happy to have helped.

If the server setup seems okay and it still doesn't work properly just post back and we can look at it further.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card