11-13-2012 07:56 AM - edited 03-11-2019 05:22 PM
Good day,
I have the following configuration: An ASA5505 with Security bundle license sits at the perimeter with a single public IP address assigned to VLAN2 (outside) out of a /29 block. I have two servers with static IP addresses of 10.70.21.6 and 10.70.21.7 connected to the inside ports with default gateway of 10.70.21.1 (which is the IP address for the VLAN1 inside). I have already configured a default static route and NATing (PAT) so we have internet connection for the PCs.
Now I need to configure the ASA to allow remote desktop connection to the servers (with static IP addresses above). Can I use a spare public IP address for each server and if so, whats the syntax? or is there another method? I have used this before but I had a Cisco 2811 router on the perimeter so the syntax was at then:
ip nat inside source static 10.30.1.248 81.85.199.44
best regards,
11-13-2012 08:04 AM
By the way, the ASA has 8.2(5) software.
11-13-2012 08:47 AM
static (inside,outside) [outside ip] [inside ip] netmask 255.255.255.255
Example-
static (inside,outside) 69.222.73.41 10.70.21.6 netmask 255.255.255.255
static (inside,outside) 69.222.73.42 10.70.21.7 netmask 255.255.255.255
You'll also have to add the ports you want to allow in your ACL. Let me know if you have any questions.
11-13-2012 08:58 AM
Many Thanks Collin,
Here's the new scenario, the good guys at work added 5 more servers. I do not have enough public IP addresses. SO I plan to use the single public IP address assigned to VLAN2 (outside) and map using different ports say port 10006 for server with IP address 10.70.21.6 and port 10010 for server with IP address 10.70.21.10.
I will use Remote Desktop Connection with x.x.x.x:1000y where x.x.x.x is the VLAN2 IP address and y is the last IP digit (6, etc).
I used the following syntax:
static (inside,outside) tcp interface 10006 10.70.21.6 3389 netmask 255.255.255.255
3389 is the tcp port for rdp.
I still can't access the server. what is the ACL you are talking about? access lists are not exactly my strong point.
regards,
11-13-2012 10:16 AM
You should have an ACL applied to the outside interface-
show run | i access-group will show you the name of the ACL and the interface it is attached to.
From there add an ACE to the ACL aaplied to the outside interface. Something like the following-
access-list outside_access permit tcp any [outside ip] eq 10006
tcp is the protocol to allow, the any is the source IP, the next IP is the destination which is your public IP and then 10006 is the port.
Update: Your new NAT's are correct BTW
11-14-2012 12:25 AM
Ok so far nothing has worked for me. This is my configuration, so if someone could help pinpoint where did I go wrong:
: Saved
:
ASA Version 8.2(5)
!
hostname
domain-name .com
enable password /V encrypted
passwd /V encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.70.21.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 176.28.79.210 255.255.255.248
!
banner login $ Welcome to ASA1 for $
ftp mode passive
dns server-group DefaultDNS
domain-name .com
access-list Server6 extended permit tcp any host 176.28.79.211 eq 10006
access-list Server6 extended permit tcp any host 176.28.79.211 eq 10007
access-list Server6 extended permit tcp any host 176.28.79.211 eq 10003
access-list Server6 extended permit tcp any host 176.28.79.211 eq 10004
access-list Server6 extended permit tcp any host 176.28.79.211 eq 10005
access-list Server6 extended permit tcp any host 176.28.79.211 eq 10010
access-list Server6 extended deny ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.70.21.0 255.255.255.0
static (inside,outside) tcp interface 10006 10.70.21.6 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 10007 10.70.21.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 10003 10.70.21.3 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 10004 10.70.21.4 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 10005 10.70.21.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 10010 10.70.21.10 3389 netmask 255.255.255.255
access-group Server6 in interface outside
route outside 0.0.0.0 0.0.0.0 176.28.79.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username Cisco password .Cjopxf encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end
Everything works fine except for the remote RDP, I have PAT, local telnet, and remote ssh all working perfectly.
best regards,
11-14-2012 07:49 AM
static (inside,outside) tcp interface 10006 10.70.21.6 3389 netmask 255.255.255.255
The NAT translates the outside interface (.210) to the inside server, however your ACL is only allowing to host .211.
Either change your NAT's to match your ACL-
static (inside,outside) tcp 176.28.79.211 10006 10.70.21.6 3389 netmask 255.255.255.255
static (inside,outside) tcp 176.28.79.211 10007 10.70.21.7 3389 netmask 255.255.255.255
static (inside,outside) tcp 176.28.79.211 10003 10.70.21.3 3389 netmask 255.255.255.255
static (inside,outside) tcp 176.28.79.211 10004 10.70.21.4 3389 netmask 255.255.255.255
static (inside,outside) tcp 176.28.79.211 10005 10.70.21.5 3389 netmask 255.255.255.255
static (inside,outside) tcp 176.28.79.211 10010 10.70.21.10 3389 netmask 255.255.255.255
or change your ACL to match your NAT's-
access-list Server6 extended permit tcp any host 176.28.79.210 eq 10006
access-list Server6 extended permit tcp any host 176.28.79.210 eq 10007
access-list Server6 extended permit tcp any host 176.28.79.210 eq 10003
access-list Server6 extended permit tcp any host 176.28.79.210 eq 10004
access-list Server6 extended permit tcp any host 176.28.79.210 eq 10005
access-list Server6 extended permit tcp any host 176.28.79.210 eq 10010
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide