Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4741
Views
5
Helpful
4
Replies

ASA 5505 -Can I use outside dynamic IP for webserver DMZ?

Go to solution
Robert Anderson
Level 1
Level 1

‎07-10-2013 12:17 AM - edited ‎03-11-2019 07:10 PM

SETUP

ASA 5505

ASA Version 9.1(2)

ASDM Version 7.1(3)

I have basic license, using only three vlans (outside, inside, DMZ).

QUESTION:

I want to find a way (if possible) to use the single DYNAMIC IP (dhcp'd from ISP) on the "outside" interface, as a means to setup a web-server on the DMZ? I just want to allow my WHS-2011 (server) to talk to microsoft's free DDNS service where my domain name is hosted (ports 80,443,4125).

So far, every setup option I have tried does not make it past the implicit deny acl's (on the outside interface) to the web-server (DMZ).

I understand that the VLAN1 (inside) had to be disabled. I understand that objects now replace some of the older NAT'd components.

CONFIG:

object network webserver-external-ip

host <X.X.X.X>

! I had set this to match my ISP DHCP address

object network webserver

host 172.16.0.2

nat (DMZ,outside) static webserver-external-ip service tcp www www

nat (DMZ,outside) static webserver-external-ip service tcp 443 443

nat (DMZ,outside) static webserver-external-ip service tcp 4125 4125

access-list outside_acl extended permit tcp any object webserver eq www

access-list outside_acl_https extended permit tcp any object webserver eq 443

access-list outside_acl_rww extended permit tcp any object webserver eq 4125

access-group outside_acl in interface outside

access-group outside_acl_https in interface outside

access-group outside_acl_rww in interface outside

! added the dns statements below because the cisco doc (below) says it's required or dmz traffic can't get out despite default rule allowing it to do so.

! (ctrl-F) ... "all traffic would be blocked from the dmz to hosts on the internet"


! http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bf150c.shtml

object network dns-server

host 8.8.8.8

exit

access-list dmz_acl extended permit udp any object dns-server eq domain

access-list dmz_acl extended permit ip any any

access-group dmz_acl in interface DMZ

SUMMARY:

I just want to allow my WHS-2011 (server) to talk to microsoft's free DDNS service where my domain name is hosted (ports 80,443,4125).

I want to find a way (if possible) to use the single DYNAMIC IP (dhcp'd from ISP) on the "outside" interface, as a means to setup a web-server on the DMZ?

Other:

As an interim alternative, I have been able to setup & connect to the ASA using clientless vpn (web-ssl), and from there getting over to my WHS2011 server...-but the problem is, I have no way of knowing, or updating my DDNS once that IP changes since the ASA keeps blocking the return traffic to theh outside interface. My only assumption is that becasue I am using a single dynamic IP (outside interface) that it has nothing to re-direct the traffic to....???

Thank You for any help you can provide!!

k/r

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-10-2013 12:49 AM

Hi,

I cant really help with the DDNS portion but I would imagine you already have that sorted out.

The ASA configurations however seem a bit off to me.

Here is what you should configure

STATIC PAT TO HOST SERVICES

There are some changes that need to be done to both ACL and NAT configurations. First of the NAT configurations for each port require their own "object network" to be configured.

Also since you are using a DHCP address from the ISP to act as the NAT address then you can use the keyword/parameter "interface" in the actual "nat" command. This basically tells the ASA that it should use whatever IP address is currently on the "outside" interface of the ASA. So you wont have to configure any separate "object network" for the public IP address every time it changes.

Also, with regards to the ACL configurations. You should only configure one ACL per interface in the "in" direction. So all the rules you need to configure for traffic inbound from the Internet need to be in the same ACL that you then attach to the "outside" interface with the command "access-group"

object network WEBSERVER-TCP80

host 172.16.0.2

nat (DMZ,outside) static interface service tcp www www

object network WEBSERVER-TCP443

host 172.16.0.2

nat (DMZ,outside) static interface service tcp 443 443

object network WEBSERVER-TCP4125

host 172.16.0.2

nat (DMZ,outside) static interface service tcp 4125 4125

access-list outside_acl extended permit tcp any object WEBSERVER-TCP80 eq www

access-list outside_acl extended permit tcp any object WEBSERVER-TCP443 eq https

access-list outside_acl extended permit tcp any object WEBSERVER-TCP4125 eq 4125

access-group outside_acl in interface outside

DYNAMIC PAT FOR LANs and DMZs

The above NAT configurations only handles the NAT for situations where the remote hosts on the Internet contact your DMZ server.

If you want to configure Dynamic PAT for all your LAN and DMZ users which basically enable them to use the "outside" interface public IP address for Internet traffic, then you could configure this single "nat" configuration

nat (any,outside) after-auto source dynamic any interface

This would enable Dynamic PAT for all users behind the ASA

I am not sure if you will run into problems since you are using a single public IP address and trying to forward TCP/443. This port is both used for SSL VPN and ASDM management of the ASA.

If you want to change the default port of the ASDM management you can use this command

http server enable

If you want to change the default port of SSL VPN you can use these commands

webvpn

port

Naturally before doing either of the above changes, make sure that you are not relying to them for management purposes if something was to go wrong. If you have SSH management access to the ASA then it should naturally be ok.

I am not sure if all of the above are enough to get your setup working but it should be the basics. Naturally if there is still problems after the above suggestions it might be helpfull to see the current ASA configurations. For example NAT might not work if the ordering of NAT rules is wrong even though the actual configurations are otherwise valid.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-10-2013 12:49 AM

Hi,

I cant really help with the DDNS portion but I would imagine you already have that sorted out.

The ASA configurations however seem a bit off to me.

Here is what you should configure

STATIC PAT TO HOST SERVICES

There are some changes that need to be done to both ACL and NAT configurations. First of the NAT configurations for each port require their own "object network" to be configured.

Also since you are using a DHCP address from the ISP to act as the NAT address then you can use the keyword/parameter "interface" in the actual "nat" command. This basically tells the ASA that it should use whatever IP address is currently on the "outside" interface of the ASA. So you wont have to configure any separate "object network" for the public IP address every time it changes.

Also, with regards to the ACL configurations. You should only configure one ACL per interface in the "in" direction. So all the rules you need to configure for traffic inbound from the Internet need to be in the same ACL that you then attach to the "outside" interface with the command "access-group"

object network WEBSERVER-TCP80

host 172.16.0.2

nat (DMZ,outside) static interface service tcp www www

object network WEBSERVER-TCP443

host 172.16.0.2

nat (DMZ,outside) static interface service tcp 443 443

object network WEBSERVER-TCP4125

host 172.16.0.2

nat (DMZ,outside) static interface service tcp 4125 4125

access-list outside_acl extended permit tcp any object WEBSERVER-TCP80 eq www

access-list outside_acl extended permit tcp any object WEBSERVER-TCP443 eq https

access-list outside_acl extended permit tcp any object WEBSERVER-TCP4125 eq 4125

access-group outside_acl in interface outside

DYNAMIC PAT FOR LANs and DMZs

The above NAT configurations only handles the NAT for situations where the remote hosts on the Internet contact your DMZ server.

If you want to configure Dynamic PAT for all your LAN and DMZ users which basically enable them to use the "outside" interface public IP address for Internet traffic, then you could configure this single "nat" configuration

nat (any,outside) after-auto source dynamic any interface

This would enable Dynamic PAT for all users behind the ASA

I am not sure if you will run into problems since you are using a single public IP address and trying to forward TCP/443. This port is both used for SSL VPN and ASDM management of the ASA.

If you want to change the default port of the ASDM management you can use this command

http server enable

If you want to change the default port of SSL VPN you can use these commands

webvpn

port

Naturally before doing either of the above changes, make sure that you are not relying to them for management purposes if something was to go wrong. If you have SSH management access to the ASA then it should naturally be ok.

I am not sure if all of the above are enough to get your setup working but it should be the basics. Naturally if there is still problems after the above suggestions it might be helpfull to see the current ASA configurations. For example NAT might not work if the ordering of NAT rules is wrong even though the actual configurations are otherwise valid.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Go to solution
Robert Anderson
Level 1
Level 1
In response to Jouni Forss

‎07-10-2013 01:52 AM

Jouni,

  Wow! That was FAST and TOTALLY CORRECT!!  - OUTSTANDING!!!

I did also change my ASDM port just to be sure of that issue you noted.

I can't say "Thank You!" enough!

Jason

(aka) Robert, axetone, et al.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Robert Anderson

‎07-10-2013 02:07 AM

Hi,

Glad to hear it worked

- Jouni

0 Helpful

Go to solution
alafever1
Level 1
Level 1
In response to Jouni Forss

‎11-12-2014 02:40 PM

Great advice Jouni!  

I am trying to accomplish a similar setup with a static IP.   I've got a web server in the DMZ.  I've gone through all of the commands described (leaving out https for now because of the AnyConnect interface) and see them all properly reflected.  


When I go onto the web server and use canyouseeme.org to check port 80 that no traffic is being allowed to the server on the port.  I'm unable to access the IIS website from the internet.  The IIS server is able to freely browse the internet. Any ideas what I might be doing wrong? 

I'm very new to this...so pardon the mess in the log.

Preview file
4 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card