Solved: ASA 5505 Single IP to SBS

brunellej · ‎01-30-2011

Community,

Running into an issue with configurating a ASA 5505 running ASA v8.3. I have a single IP address assigned to the outside interface and would like to leverage for our SBS that's connected to the inside. Every attempt seems to result in the inbound session being blocked by the ACL.

The outside IP is 208.1.1.1 and the SBS service is running on the inside with 192.168.1.10. I would like NAT inbound services for HTTPS and SMTP to be directed to the 192.168.1.10 SBS server on the same ports.

What am I doing wrong?

/jb

Federico Coto Fajardo · ‎01-31-2011

Hi,

I think the reason that the last NAT object replaces the previous one is because you cannot have more than one object with the same name.

You should be fine defining the configuration like this:

object network obj-192.168.1.10
host 192.168.1.10

object network obj-192.168.1.10-2
host 192.168.1.10

object network obj-192.168.1.10
nat (inside,outside) static interface service tcp 25 25

object network obj-192.168.1.10-2
nat (inside,outside) static interface service tcp 443 443

Federico.

View solution in original post

Federico Coto Fajardo · ‎01-30-2011

Hi,

I think this configuration will do it for the translation:

object network obj-192.168.1.10
host 192.168.1.10
nat (inside,outside) static 208.1.1.1 service tcp www www

object network obj-192.168.1.10
host 192.168.1.10
nat (inside,outside) static 208.1.1.1 service tcp 25 25

Now, the ACL applied in the inbound direction to the outside interface should refer to the real IP, so for example:

access-list outside permit tcp any host 192.168.1.0 eq 80

access-list outside permit tcp any host 192.168.1.0 eq 25

Hope it helps.

Federico.

brunellej · ‎01-30-2011

Thanks, but I have tried that and it keeps telling me it overlaps the outside interface.

> object network obj-192.168.1.10

> host 192.168.1.10

> nat (inside,outside) static 208.1.1.1 service tcp smtp smtp

ERROR: Address 208.1.1.1 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

It's got to be possible to leverage the single outside IP.

/jb

brunellej · ‎01-30-2011

Fixed the overlap issue by leveraging the interface command. But I am still being blocked by the policy, which makes no sense.

/jb

Federico Coto Fajardo · ‎01-30-2011

So, you got the NAT working, can you paste the ACL in question?

Federico.

brunellej · ‎01-30-2011

Here's my configuration, hopefully you can advise as where I am making my mistake:

ASA Version 8.3(2)
!
hostname fw1
domain-name mydomain.com
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxx encrypted
names
!
interface Vlan1
description Internal Network
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 208.1.1.1 255.255.255.0
!
interface Vlan3
nameif dmz
security-level 50
no ip address
!
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 75
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mydomain.com
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.1.10
host 192.168.1.10
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside extended permit tcp any host 192.168.1.10 eq https
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.1.10
access-list outside extended permit tcp any host 192.168.1.10 eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) static interface
object network obj-192.168.1.10
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 208.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.100-192.168.2.254 Wireless-Guest
dhcpd enable Wireless-Guest
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
username meuser password xxxxxxxxxx encrypted privilege 15
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f30cf93419b6a7df26eebd8f45c3a9bd
: end

Federico Coto Fajardo · ‎01-30-2011

These lines:

access-list outside extended permit tcp any host 192.168.1.10 eq https
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.1.10
access-list outside extended permit tcp any host 192.168.1.10 eq smtp

Should read:

access-list outside_access_in extended permit tcp any host 192.168.1.10 eq https
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.1.10
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq smtp

Kindly rate helpful posts :-)

Federico.

brunellej · ‎01-30-2011

I am getting closer, but still having an issue. When I attempt to make an inbound HTTPS

session, I see this in the SYSLOG messages:

4

Jan 30 2011

19:45:29

75.194.178.56

57513

0.0.0.0

443

Deny tcp src outside:75.194.178.56/57513 dst inside:0.0.0.0/443 by access-group "outside_access_in" [0x0, 0x0]

Thoughts?

/jb

Federico Coto Fajardo · ‎01-30-2011

What about SMTP?

On the lates config I see only this:

object network obj-192.168.1.10
nat (inside,outside) static interface service tcp smtp smtp

But not this:

object network obj-192.168.1.10
nat (inside,outside) static interface service tcp https https

Federico.

brunellej · ‎01-31-2011

You are correct, and I hadn't caught that one. But when I attempt to add the other protocols, it replaces the last one. So I must be doing something wrong.

/jb

Federico Coto Fajardo · ‎01-31-2011

Hi,

I think the reason that the last NAT object replaces the previous one is because you cannot have more than one object with the same name.

You should be fine defining the configuration like this:

object network obj-192.168.1.10
host 192.168.1.10

object network obj-192.168.1.10-2
host 192.168.1.10

object network obj-192.168.1.10
nat (inside,outside) static interface service tcp 25 25

object network obj-192.168.1.10-2
nat (inside,outside) static interface service tcp 443 443

Federico.