08-23-2012 12:23 AM - edited 02-21-2020 04:42 AM
I have the need to replace my Sonicwall firewall and I got an ASA 5505. However, I need to have a transparent firewall, no Natting and Web server will have a public IP address with relevant ports kept open.
The simple illustration is Internet ---------------->Transparent Firewall--------------------------------Web Server(With public IP Address)
1. There should be no natting
2. The web server must have a public IP and be accessible from the internet.
3. Ports can be blocked or re-opened.
Please let me know if its possible to have this arrangement.
If yes, can I get a command line sequence that enables this to work.
My version is
Cisco Adaptive Security Appliance Software Version 8.4(4)5
Device Manager Version 6.4(9)
Thanks in advance
Message was edited by: Don Chuks
Solved! Go to Solution.
08-23-2012 08:01 AM
This is a minimal configuration for your need (is running on ASA 5520).
!
firewall transparent
!
interface GigabitEthernet0
description --- Connected to the Internet ---
nameif outside
bridge-group 1
security-level 0
!
!
interface GigabitEthernet3
description --- Connected to LAN ---
nameif inside
bridge-group 1
security-level 100
!
!
interface BVI1
description --- For Management only ---
ip address 10.1.10.1 255.255.255.0
!
!
object network WWW-SERVER-OBJ
description --- The WEB server ----
host 123.123.123.123
!
!
object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp
description --- Serices published on WEB server ----
port-object eq www
port-object eq https
!
!
access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
!
!
access-group OUTSIDE-IN-ACL in interface outside
!
Samuel Petrescu
08-24-2012 04:02 AM
Is allowed everything because of last line "access-list OUTSIDE-IN-ACL line 2 extended permit ip any any"
You have to take it out.
This is how should look:
!
object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp
description --- Serices TCP published on WEB server ----
port-object eq 80
port-object eq 443
port-object eq 1812
port-object eq 1813
port-object eq 1845
port-object eq 1846
port-object eq 3799
port-object eq 10100
port-object eq 10200
port-object eq 10300
port-object eq 20235
!
object-group service WWW-SERVER-SERVICES-UDP-OBJ udp
description --- Serices UDP published on WEB server ----
port-object eq 1812
port-object eq 1813
port-object eq 1845
port-object eq 1846
port-object eq 3799
port-object eq 10100
port-object eq 10200
port-object eq 10300
port-object eq 20235
!
!
!
!
access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
!
access-list OUTSIDE-IN-ACL extended permit udp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ
!
!
!
You can customize access based on this template
Samuel Petrescu
08-31-2012 04:17 AM
To allow the public IP xxx.yyy.zzz.xyz connecting on inside server port TCP 3306 :
access-list OUTSIDE-IN-ACL extended permit tcp host xxx.yyy.zzz.xyz object WWW-SERVER-OBJ eq 3306
By default all ports are closed, will be opened only ports explicitly allowed:
If you want to write explicitly a rule to close port 25 from anywhere to anywhere (Target port TCP 25):
access-list OUTSIDE-IN-ACL line 1 deny tcp any any eq 25
Samuel Petrescu
08-23-2012 01:22 AM
Yes that can be done with the ASA. The procedere is specified in the config-guide. First go through the config of transparent firewall:
http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/mode_fw.html
Then configure your access-control:
http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/access_rules.html
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-23-2012 07:26 AM
The URL's are not working for me. Says they either broken or that I do not have access
Can I get the text on here?
08-23-2012 08:01 AM
This is a minimal configuration for your need (is running on ASA 5520).
!
firewall transparent
!
interface GigabitEthernet0
description --- Connected to the Internet ---
nameif outside
bridge-group 1
security-level 0
!
!
interface GigabitEthernet3
description --- Connected to LAN ---
nameif inside
bridge-group 1
security-level 100
!
!
interface BVI1
description --- For Management only ---
ip address 10.1.10.1 255.255.255.0
!
!
object network WWW-SERVER-OBJ
description --- The WEB server ----
host 123.123.123.123
!
!
object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp
description --- Serices published on WEB server ----
port-object eq www
port-object eq https
!
!
access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
!
!
access-group OUTSIDE-IN-ACL in interface outside
!
Samuel Petrescu
08-23-2012 10:34 AM
when I apply this config, system remains inaccessible from outside.The system does not get to the internet as well
below is my sho run
ciscoasa(config)# sho run
: Saved
:
ASA Version 8.4(4)5
!
firewall transparent
hostname ciscoasa
enable password msi14F/SlH4ZLjHH encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
!
interface Vlan2
nameif outside
bridge-group 1
security-level 0
!
interface BVI1
description --- For Management only ---
ip address x.x.x.x 255.255.255.252
!
ftp mode passive
object network WWW-SERVER-OBJ
host y.y.y.y
description --- The WEB server ----
object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp
description --- Serices published on WEB server ----
port-object eq www
port-object eq https
access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group OUTSIDE-IN-ACL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fdda72841b7b2d386dccbed6b996d2af
: end
08-23-2012 10:41 AM
You forgot this:
!
interface Vlan1
nameif inside
security-level 100
bridge-group 1
!
08-23-2012 10:52 AM
Thanks
When I do that, there is a big change but I still cannot access http/https
Also when I ping the station, no luck
I also tried RDP but no luck
Thanks indeed for all the help
08-23-2012 11:09 AM
Also, you don't have any interface in vlan1
If interface Ethernet0/2 wants to be inside interface (where server is connected) this should belongs to vlan1. (not valn 2)
Run:
interface e0/2
switchport access vlan 1
Connect the internet cable to Ethernet0/0
Also by default ICMP will not pass through, you have to allow it.
Also in this configuration only http and https is allowed, if you want to rdp in, you have to allow it.
Thank you
Samuel Petrescu
08-23-2012 11:17 AM
Thanks.
I made the change. System is plugged into Et0/1 and the internet cable is plugged into Et0/0
When I show Et0/0 I get and show vlan is as below
ciscoasa(config)# show int et0/1
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 5475.d0fc.ad1b, MTU not set
IP address unassigned
44852 packets input, 4149552 bytes, 0 no buffer
Received 36135 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
6939 packets output, 1563776 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
ciscoasa(config)# show switch vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
1 inside up Et0/1, Et0/2, Et0/3, Et0/4
Et0/5, Et0/6, Et0/7
2 outside up Et0/0
ciscoasa(config)#
08-23-2012 11:53 AM
Now looks good.
To allow icmp from outside (the easy way):
access-list OUTSIDE-IN-ACL extended permit icmp any any
fixup protocol icmp
Thnak you
Sam
08-23-2012 12:32 PM
Thanks Samuel.
However, I am wondering if this solution is really possible.
I had spoken to many networking people around and they say its only sonicwall that supports that mode.
Strangely, its been more than a week and the nearest to it is your solution above.We had tried a paid approach but most the people simply did not get back because they say its only possible with NAT.
Http/https traffic is still not passing not sure why.
Is there a way to just allow everything without bypassing the firewall?
That way, we can get to know why its not allowing http/https traffic
Thanks indeed for all the help, its given us a ray of hope
08-23-2012 01:16 PM
From preview e-mails I understood the server has the public IP, and wanted to be in this way.
The solution for this, is transparent firewall, but this will not do NAT and you don’t need NAT in this situation.
To allow everything:
access-list OUTSIDE-IN-ACL extended permit ip any any
access-group OUTSIDE-IN-ACL in interface outside
I don’t know why you want server to have the public IP (maybe is a reason).
The professional solution is to use the firewall in routed mode, and the server to have a private IP.
Instead of server having the public IP, the firewall will have that public IP, and when a http request is made to that public IP, the firewall will forward traffic inside to the server.
In this situation NAT is needed, and will work.
Or maybe server doesn't really have the public Ip?
Thank you
Sam
08-23-2012 01:26 PM
Thanks Samuel
You are correct
We have an application that can only work with a public IP address
It does not support NAT
So I deally what we need is where this firewall can protect on the webserver
We open the ports that we need including http and https
If there is a way to make the server see the internet in this configuration, that will do it
Even when we allow everything it still wont allow http traffic.
I strngly think your solution is very close to it.
Unfortunately, I cant seem to be able to open the URL posted in the first reply.
Thanks
Yes that can be done with the ASA. The procedere is specified in the config-guide. First go through the config of transparent firewall:
http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/mode_fw.html
Then configure your access-control:
http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/access_rules.html
08-23-2012 04:01 PM
The error is: "Management interface has to have IP from the same subclass as your public ip on the server"
This, even if you don't use it for management.
interface BVI1
!
description --- For Management only ---
ip address "public ip" subnetmask
!
I built a test environment to verify, and without this management ip from correct subnet, arp protocol will fail.
ciscoasa(config)# debug arp
debug arp enabled at level 1
arp-in: Arp packet received from 173.x.x.x which is in different subnet than the connected interface 0.0.0.0/255.255.255.255
arp-in: Arp packet received from 173.x.x.x which is in different subnet than the connected interface 0.0.0.0/255.255.255.255
arp-in: Arp packet received from 173.x.x.x which is in different subnet than the connected interface 0.0.0.0/255.255.255.255
arp-in: Arp packet received from 173.x.x.x which is in different subnet than the connected interface 0.0.0.0/255.255.255.255
arp-in: Arp packet received from 173.x.x.x which is in different subnet than the connected interface 0.0.0.0/255.255.255.255
arp-in: Arp packet received from 173.x.x.x which is in different subnet than the connected interface 0.0.0.0/255.255.255.255
Samuel Petrescu
08-23-2012 10:07 PM
Thanks Samuel.
It works. Strangely I did everything afresh but it allowed http and https, and rdp works. This I am not sure why RDP works.
Sorry, I keep asking. I intend to open some udp ports as well UDP/TCP 1812,1813, 1845,1846,3799, 10100,10200, 10300, 20235
Will let you know how that goes though I am yet to figure out how to block UDP ports.
See access list and see if you can see why RDP works
ciscoasa(config)# show access-list OUTSIDE-IN-ACL
access-list OUTSIDE-IN-ACL; 3 elements; name hash: 0x585e19e6
access-list OUTSIDE-IN-ACL line 1 extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ (hitcnt=16) 0x28efdb7f
access-list OUTSIDE-IN-ACL line 1 extended permit tcp any host xxx.yy.zzz.mmm eq www (hitcnt=2) 0x6a290a4e
access-list OUTSIDE-IN-ACL line 1 extended permit tcp any host xxx.yy.zzz.mmm eq https (hitcnt=14) 0x41cdf538
access-list OUTSIDE-IN-ACL line 2 extended permit ip any any (hitcnt=186) 0x74278021
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide