11-29-2013 10:41 PM - edited 03-11-2019 08:11 PM
Hello Guys,
Its been awhile since I played around with a Cisco CLI and I cant remember the proper syntax to add another Public IP to my Cisco ASA5505. I was given a block of public IP's. 108.32.83.96 - 102. Im using .97 for the outside interface and would like to use .98 for a web
behind the firewall.
SO I've been trying the following but it has not worked
1) created
Object "WebServer"
2) Added Host 192.168.1.9
3) Added Nat (inside,Outside) static 108.32.83.98 service tcp 80 80
4) access-list OutsideWebServer permit tcp any host 192.168.1.9 eq www
5) access-group OutsideWebserver in interface outside
The above will only work when I change the address 108.32.83.98 to "interface" which then will use the outside interface. Any help will be appreciated.
Thanks
Jay
Solved! Go to Solution.
12-02-2013 03:37 PM
Glad to hear that we were able to make it happen,
Please now mark the question as answered
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-29-2013 11:26 PM
Hi Jay,
Could you try:
object network WebServer
host 192.168.1.9
object network WebServer-Public
host 108.32.83.98
nat (inside,Outside) static WebServer service tcp 80 80
Sent from Cisco Technical Support iPhone App
11-30-2013 06:20 AM
Ok, check the ARP table on the ASA to confirm that nobody is using that address and check the interface netmask on the outside to confirm that the ASA will ARP for that address.
show run interface would be great.
Value our effort and rate the assistance!
11-30-2013 03:47 PM
Ive tried the above suggestion however still no luck. Below is my running config. Please take a look and let me know if I missed something.
ciscoasa# sh ru
: Saved
:
ASA Version 8.4(4)1
!
hostname ciscoasa
domain-name CommandServer.local
enable password xdmK2yQnEOr75wr1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 108.83.32.97 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif guest
security-level 50
ip address 192.168.10.1 255.255.255.0
!
boot system disk0:/asa844-1-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 69.94.156.1
name-server 69.94.157.1
domain-name CommandServer.local
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object service TheDude
service tcp source eq 8080 destination eq 8080
object service Spotify
service tcp source eq 4070 destination eq 4070
description Musci Serivce
object service Http
service tcp source eq www destination eq www
object service Https
service tcp source eq https destination eq https
object network WebServer
host 192.168.1.9
object network WebServer-Public
host 108.83.32.98
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list split_ssl standard permit 192.168.1.0 255.255.255.0
access-list WebServer extended permit tcp any host 192.168.1.9 eq www
pager lines 24
logging enable
logging asdm informational
logging from-address jay.kelly@8wire.net
logging recipient-address jay.kelly@8wire.net level alerts
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool SSL_Pool2 192.168.100.1-192.168.100.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (guest,outside) dynamic interface
object network WebServer-Public
nat (inside,outside) static WebServer service tcp www www
access-group WebServer in interface outside
route outside 0.0.0.0 0.0.0.0 108.83.32.102 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
snmp-server host inside 192.168.1.102 community *****
snmp-server location Closet
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd dns 69.94.156.1 69.94.157.1
dhcpd auto_config outside
!
dhcpd address 192.168.1.31-192.168.1.99 inside
dhcpd dns 192.168.1.100 4.2.2.2 interface inside
dhcpd domain CommandServer.local interface inside
dhcpd enable inside
!
dhcpd address 192.168.10.10-192.168.10.60 guest
dhcpd dns 4.2.2.2 interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 50.22.155.163 source outside prefer
tftp-server inside 192.168.1.102 Cisco
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy SSL_Policy internal
group-policy SSL_Policy attributes
vpn-tunnel-protocol ssl-client
group-policy SSL_NEWGRP internal
group-policy SSL_NEWGRP attributes
wins-server none
dns-server value 69.94.156.1 69.94.157.1
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_ssl
default-domain value CommandServer.local
username ******* password GL/xoXmNE9qoDE4g encrypted privilege 0
username ******* attributes
vpn-group-policy SSL_NEWGRP
username ****** password JG.e5Lb3X211dItD encrypted privilege 15
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool SSL_Pool2
default-group-policy SSL_Policy
tunnel-group SSL_OUTSIDE type remote-access
tunnel-group SSL_OUTSIDE general-attributes
address-pool SSL_Pool2
default-group-policy SSL_NEWGRP
tunnel-group SSL_OUTSIDE webvpn-attributes
group-alias VPNUSERS enable
group-url https://108.83.32.97/VPNUSERS enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous prompt 2
call-home
contact-email-addr
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:f7ae056e448504665a843604cf30e538
: end
11-30-2013 11:25 PM
Hello Jay,
This configuration works when you use the IP address on the outside interface cause as soon as you do that the ASA will generate a Gratitious ARP message that will update the ARP table of the other devices
My recommendation would be the following:
object network WebServer
host 192.168.1.9
object network WebServer-Public
host 108.32.83.98
object service HTTP
service tcp source eq 80
exit
nat (inside,outside) 1 source static WebServer WebServer-Public service HTTP HTTP
Afterwards try to connect if it does not work then I would assume there is a problem with the L2 network cache of the device upstream.
I would go to the modem or whatever device and clear the ARP table or write a static ARP entry for the IP address of 108.32.83.98 pointing to the ASA outside intf MAC address.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-01-2013 07:58 PM
This is the configuration that you have:
object network WebServer
host 192.168.1.9
object network WebServer-Public
host 108.32.83.98
object network WebServer-Public
nat (inside,outside) static WebServer service tcp www www
Your NAT is incorrect:
object network WebServer
nat (inside,outside) static WebServer-Public service tcp www www
That is the correct configuration.
Value our effort and rate the assistance!
12-02-2013 10:24 AM
That was it, its working great now.
Thanks for your help!
Jay
12-02-2013 03:37 PM
Glad to hear that we were able to make it happen,
Please now mark the question as answered
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide