cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


620
Views
0
Helpful
6
Replies
Highlighted
Beginner

Mapping servers behind an ASA5505

Good day,

I have the following configuration: An ASA5505 with Security bundle license sits at the perimeter with a single public IP address assigned to VLAN2 (outside) out of a /29 block. I have two servers with static IP addresses of 10.70.21.6 and 10.70.21.7 connected to the inside ports with default gateway of 10.70.21.1 (which is the IP address for the VLAN1 inside). I have already configured a default static route and NATing (PAT) so we have internet connection for the PCs.

Now I need to configure the ASA to allow remote desktop connection to the servers (with static IP addresses above). Can I use a spare public IP address for each server and if so, whats the syntax? or is there another method? I have used this before but I had a Cisco 2811 router on the perimeter so the syntax was at then:

ip nat inside source static 10.30.1.248 81.85.199.44

best regards,

Everyone's tags (4)
6 REPLIES 6
Beginner

Mapping servers behind an ASA5505

By the way, the ASA has 8.2(5) software.

Advisor

Mapping servers behind an ASA5505

static (inside,outside) [outside ip] [inside ip] netmask 255.255.255.255

Example-

static (inside,outside) 69.222.73.41 10.70.21.6 netmask 255.255.255.255

static (inside,outside) 69.222.73.42 10.70.21.7 netmask 255.255.255.255

You'll also have to add the ports you want to allow in your ACL. Let me know if you have any questions.

Beginner

Mapping servers behind an ASA5505

Many Thanks Collin,

Here's the new scenario, the good  guys at work added 5 more servers. I do not have enough public IP addresses. SO I plan to use the single public IP address assigned to VLAN2 (outside) and map using different ports say port 10006 for server with IP address 10.70.21.6 and port 10010 for server with IP address 10.70.21.10.

I will use Remote Desktop Connection with x.x.x.x:1000y where x.x.x.x is the VLAN2 IP address and y is the last IP digit (6, etc).

I used the following syntax:

static (inside,outside) tcp interface 10006 10.70.21.6 3389 netmask 255.255.255.255

3389 is the tcp port for rdp.

I still can't access the server. what is the ACL you are talking about? access lists are not exactly my strong point.

regards,

Advisor

Re: Mapping servers behind an ASA5505

You should have an ACL applied to the outside interface-

show run | i access-group will show you the name of the ACL and the interface it is attached to.

From there add an ACE to the ACL aaplied to the outside interface.  Something like the following-

access-list outside_access permit tcp any [outside ip] eq 10006

tcp is the protocol to allow, the any is the source IP, the next IP is the destination which is your public IP and then 10006 is the port.

Update: Your new NAT's are correct BTW      

Beginner

Mapping servers behind an ASA5505

Ok so far nothing has worked for me. This is my configuration, so if someone could help pinpoint where did I go wrong:

: Saved

:

ASA Version 8.2(5)

!

hostname

domain-name .com

enable password /V encrypted

passwd /V encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.70.21.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 176.28.79.210 255.255.255.248

!

banner login $ Welcome to  ASA1 for  $

ftp mode passive

dns server-group DefaultDNS

domain-name .com

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10006

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10007

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10003

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10004

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10005

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10010

access-list Server6 extended deny ip any any

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.70.21.0 255.255.255.0

static (inside,outside) tcp interface 10006 10.70.21.6 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 10007 10.70.21.7 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 10003 10.70.21.3 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 10004 10.70.21.4 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 10005 10.70.21.5 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 10010 10.70.21.10 3389 netmask 255.255.255.255

access-group Server6 in interface outside

route outside 0.0.0.0 0.0.0.0 176.28.79.209 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 255.255.255.255 outside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username Cisco password .Cjopxf encrypted privilege 15

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:

: end

Everything works fine except for the remote RDP, I have PAT, local telnet, and remote ssh all working perfectly.

best regards,

Advisor

Re: Mapping servers behind an ASA5505

static (inside,outside) tcp interface 10006 10.70.21.6 3389 netmask 255.255.255.255

The NAT translates the outside interface (.210) to the inside server, however your ACL is only allowing to host .211.

Either change your NAT's to match your ACL-

static (inside,outside) tcp 176.28.79.211 10006 10.70.21.6 3389 netmask 255.255.255.255

static (inside,outside) tcp 176.28.79.211 10007 10.70.21.7 3389 netmask 255.255.255.255

static (inside,outside) tcp 176.28.79.211 10003 10.70.21.3 3389 netmask 255.255.255.255

static (inside,outside) tcp 176.28.79.211 10004 10.70.21.4 3389 netmask 255.255.255.255

static (inside,outside) tcp 176.28.79.211 10005 10.70.21.5 3389 netmask 255.255.255.255

static (inside,outside) tcp 176.28.79.211 10010 10.70.21.10 3389 netmask 255.255.255.255

or change your ACL to match your NAT's-

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10006

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10007

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10003

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10004

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10005

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10010

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here