08-23-2012 12:23 AM - edited 02-21-2020 04:42 AM
I have the need to replace my Sonicwall firewall and I got an ASA 5505. However, I need to have a transparent firewall, no Natting and Web server will have a public IP address with relevant ports kept open.
The simple illustration is Internet ---------------->Transparent Firewall--------------------------------Web Server(With public IP Address)
1. There should be no natting
2. The web server must have a public IP and be accessible from the internet.
3. Ports can be blocked or re-opened.
Please let me know if its possible to have this arrangement.
If yes, can I get a command line sequence that enables this to work.
My version is
Cisco Adaptive Security Appliance Software Version 8.4(4)5
Device Manager Version 6.4(9)
Thanks in advance
Message was edited by: Don Chuks
Solved! Go to Solution.
08-24-2012 04:02 AM
Is allowed everything because of last line "access-list OUTSIDE-IN-ACL line 2 extended permit ip any any"
You have to take it out.
This is how should look:
!
object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp
description --- Serices TCP published on WEB server ----
port-object eq 80
port-object eq 443
port-object eq 1812
port-object eq 1813
port-object eq 1845
port-object eq 1846
port-object eq 3799
port-object eq 10100
port-object eq 10200
port-object eq 10300
port-object eq 20235
!
object-group service WWW-SERVER-SERVICES-UDP-OBJ udp
description --- Serices UDP published on WEB server ----
port-object eq 1812
port-object eq 1813
port-object eq 1845
port-object eq 1846
port-object eq 3799
port-object eq 10100
port-object eq 10200
port-object eq 10300
port-object eq 20235
!
!
!
!
access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
!
access-list OUTSIDE-IN-ACL extended permit udp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ
!
!
!
You can customize access based on this template
Samuel Petrescu
08-24-2012 04:13 AM
This will allow only specified ports TCP/UDP, everything else will be blocked, because an implicit rule at the end of the ACL "deny ip any any"
08-25-2012 07:21 AM
Thanks a great deal Samuel.
It works great now. If only you know how many people that said the solution is no possible, you will be surprised.
Thanks once again
On
To allow icmp from outside (the easy way):
access-list OUTSIDE-IN-ACL extended permit icmp any any
fixup protocol icmp
Do you have the elaborate way of doing it? It helps the learning process I think.
08-25-2012 10:39 AM
By default icmp traffic is not inspected by asa, and will not be allowed to pass through.
“fixup protocol icmp” is old way to tell asa to inspect icmp, but is still working with newer versions of IOS.
access-list OUTSIDE-IN-ACL extended permit icmp any any will allow all types of icmp from anywhere to anywhere, but from security standpoint is not recommended.
A better way to allow ICMP (ping) from outside is:
object-group icmp-type WWW-SERVER-SERVICES-ICMP-OBJ
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object source-quench
access-list OUTSIDE-IN-ACL extended permit icmp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-ICMP-OBJ
Samuel Petrescu
08-29-2012 08:14 AM
Thank you!
So is there really away to say allow host ip address on port 3306?
i.e have a port open only to a particular host and block it for the rest?
08-29-2012 08:25 AM
Yes,
To allow the public IP "The public IP" connecting on inside server port TCP 3306 :
access-list OUTSIDE-IN-ACL extended permit tcp host "The public IP" object WWW-SERVER-OBJ eq 3306
Samuel Petrescu
08-30-2012 12:56 PM
Eventually went live with this today. Ther server is on the internet. We can RDP into it. But the applications are being blocked somewhere somehow. Can you fault the config we have below? The range commands for the ports are they good?
xxxyyyASA(config)# sho run
: Saved
:
ASA Version 8.4(4)5
!
firewall transparent
hostname xxxyyASA
enable password msi14F/SlH4ZLjHH encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description --- Connected to the Internet ---
switchport access vlan 2
!
interface Ethernet0/1
description --- Connected to LAN ---
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
bridge-group 1
security-level 100
!
interface Vlan2
nameif outside
bridge-group 1
security-level 0
!
interface BVI1
description --- For Management only ---
ip address xxx.yyy.zzz.143 255.255.255.224
!
ftp mode passive
object network WWW-SERVER-OBJ
host xxx.yyy.zzz.142
description --- The WEB server ----
object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp
description --- Services published on WEB server ----
port-object eq www
port-object eq https
port-object eq telnet
port-object range 221 225
port-object eq 3306
port-object eq 3389
port-object range 1719 1740
port-object range sip 5090
port-object eq 5098
port-object eq 6098
port-object eq 9293
port-object eq 1812
port-object eq 1813
port-object eq 1845
port-object eq 1846
port-object eq 3799
port-object eq 10100
port-object eq 10200
port-object eq 10300
port-object eq 20235
object-group service WWW-SERVER-SERVICES-UDP-OBJ udp
description --- Services UDP published on WEB server ----
port-object range 221 225
port-object range 1719 1740
port-object range sip 5090
port-object eq 9293
port-object eq 1812
port-object eq 1813
port-object eq 1845
port-object eq 1846
port-object eq 3799
port-object eq 10100
port-object eq 10200
port-object eq 10300
port-object eq 20235
port-object range 20000 60000
access-list OUTSIDE-IN-ACL extended permit icmp any any
access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
access-list OUTSIDE-IN-ACL extended permit tcp host xxx.yyy.zzz.142 object WWW-SERVER-OBJ eq 3306
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group OUTSIDE-IN-ACL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
c
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:0319f1333ea85df7cc42784731f505ae
: end
08-30-2012 01:16 PM
This line is missed:
access-list OUTSIDE-IN-ACL extended permit udp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ
08-30-2012 09:07 PM
Thanks Samuel, you are indeed a life saver.
Think I have one last one - If I want to open a port to a host xxx.yyy.zzz.xyz how can I do that?
Actually, if I wanted to close port 25 , what command will do it?
Ideally, be able to open ports for certain hosts while the ports are closed for others
08-31-2012 04:17 AM
To allow the public IP xxx.yyy.zzz.xyz connecting on inside server port TCP 3306 :
access-list OUTSIDE-IN-ACL extended permit tcp host xxx.yyy.zzz.xyz object WWW-SERVER-OBJ eq 3306
By default all ports are closed, will be opened only ports explicitly allowed:
If you want to write explicitly a rule to close port 25 from anywhere to anywhere (Target port TCP 25):
access-list OUTSIDE-IN-ACL line 1 deny tcp any any eq 25
Samuel Petrescu
08-15-2013 09:02 PM
I know this has been a while, hope you are still there. The above solution works however, if there are two web servers, with same requirement, how does one add the second web server? The three IP addresses are on the same subnet so
1st IP is management
2nd IP is for one webserver
3rd IP is for second Web server
The ASA 5505 has unlimted license
Thank You
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide