Re: Mapping servers behind an ASA5505

Talal Abbas · ‎11-13-2012

Good day,

I have the following configuration: An ASA5505 with Security bundle license sits at the perimeter with a single public IP address assigned to VLAN2 (outside) out of a /29 block. I have two servers with static IP addresses of 10.70.21.6 and 10.70.21.7 connected to the inside ports with default gateway of 10.70.21.1 (which is the IP address for the VLAN1 inside). I have already configured a default static route and NATing (PAT) so we have internet connection for the PCs.

Now I need to configure the ASA to allow remote desktop connection to the servers (with static IP addresses above). Can I use a spare public IP address for each server and if so, whats the syntax? or is there another method? I have used this before but I had a Cisco 2811 router on the perimeter so the syntax was at then:

ip nat inside source static 10.30.1.248 81.85.199.44

best regards,

Talal Abbas · ‎11-13-2012

By the way, the ASA has 8.2(5) software.

Collin Clark · ‎11-13-2012

static (inside,outside) [outside ip] [inside ip] netmask 255.255.255.255

Example-

static (inside,outside) 69.222.73.41 10.70.21.6 netmask 255.255.255.255

static (inside,outside) 69.222.73.42 10.70.21.7 netmask 255.255.255.255

You'll also have to add the ports you want to allow in your ACL. Let me know if you have any questions.

Talal Abbas · ‎11-13-2012

Many Thanks Collin,

Here's the new scenario, the good guys at work added 5 more servers. I do not have enough public IP addresses. SO I plan to use the single public IP address assigned to VLAN2 (outside) and map using different ports say port 10006 for server with IP address 10.70.21.6 and port 10010 for server with IP address 10.70.21.10.

I will use Remote Desktop Connection with x.x.x.x:1000y where x.x.x.x is the VLAN2 IP address and y is the last IP digit (6, etc).

I used the following syntax:

static (inside,outside) tcp interface 10006 10.70.21.6 3389 netmask 255.255.255.255

3389 is the tcp port for rdp.

I still can't access the server. what is the ACL you are talking about? access lists are not exactly my strong point.

regards,

Collin Clark · ‎11-13-2012

You should have an ACL applied to the outside interface-

show run | i access-group will show you the name of the ACL and the interface it is attached to.

From there add an ACE to the ACL aaplied to the outside interface. Something like the following-

access-list outside_access permit tcp any [outside ip] eq 10006

tcp is the protocol to allow, the any is the source IP, the next IP is the destination which is your public IP and then 10006 is the port.

Update: Your new NAT's are correct BTW

Talal Abbas · ‎11-14-2012

Ok so far nothing has worked for me. This is my configuration, so if someone could help pinpoint where did I go wrong:

: Saved

:

ASA Version 8.2(5)

!

hostname

domain-name .com

enable password /V encrypted

passwd /V encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.70.21.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 176.28.79.210 255.255.255.248

!

banner login $ Welcome to ASA1 for $

ftp mode passive

dns server-group DefaultDNS

domain-name .com

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10006

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10007

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10003

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10004

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10005

access-list Server6 extended permit tcp any host 176.28.79.211 eq 10010

access-list Server6 extended deny ip any any

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.70.21.0 255.255.255.0

static (inside,outside) tcp interface 10006 10.70.21.6 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 10007 10.70.21.7 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 10003 10.70.21.3 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 10004 10.70.21.4 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 10005 10.70.21.5 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 10010 10.70.21.10 3389 netmask 255.255.255.255

access-group Server6 in interface outside

route outside 0.0.0.0 0.0.0.0 176.28.79.209 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 255.255.255.255 outside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username Cisco password .Cjopxf encrypted privilege 15

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:

: end

Everything works fine except for the remote RDP, I have PAT, local telnet, and remote ssh all working perfectly.

best regards,

Collin Clark · ‎11-14-2012

static (inside,outside) tcp interface 10006 10.70.21.6 3389 netmask 255.255.255.255

The NAT translates the outside interface (.210) to the inside server, however your ACL is only allowing to host .211.

Either change your NAT's to match your ACL-

static (inside,outside) tcp 176.28.79.211 10006 10.70.21.6 3389 netmask 255.255.255.255

static (inside,outside) tcp 176.28.79.211 10007 10.70.21.7 3389 netmask 255.255.255.255

static (inside,outside) tcp 176.28.79.211 10003 10.70.21.3 3389 netmask 255.255.255.255

static (inside,outside) tcp 176.28.79.211 10004 10.70.21.4 3389 netmask 255.255.255.255

static (inside,outside) tcp 176.28.79.211 10005 10.70.21.5 3389 netmask 255.255.255.255

static (inside,outside) tcp 176.28.79.211 10010 10.70.21.10 3389 netmask 255.255.255.255

or change your ACL to match your NAT's-

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10006

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10007

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10003

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10004

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10005

access-list Server6 extended permit tcp any host 176.28.79.210 eq 10010