cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1839
Views
0
Helpful
10
Replies

ASA 5510 secondary IP on outside

ronwoods
Level 1
Level 1

Not being too familiar with the ASA, I have everything configured I need and it is working. The problem now is, I am trying to get an additional external IP address working to point to a new server inside our network. In many other firewalls and even on a PIX I know how to do this, but something does not seem to be working. Here is the scenario:

Existing static IP that is working: xxx.xxx.65.195

New IP address to add: xxx.xxx.65.196

Here is the entire config showing the lines with WVSHAREPOINT which is the internal server we are trying to publish. This site works internally, so it has to be a config error. I simply get a time out when accessing from the outside. Any help would be greatly appreciated.

User Access Verification

Password:
Type help or '?' for a list of available commands.
ciscoasa> en
Password: ******
ciscoasa# config t
ciscoasa(config)# sho run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name xxxxxxx
enable password xxxxxxxx encrypted
passwd xxxxxxx encrypted
names
name xxx.xxx.1.3 WVSERVER
name xxx.xxx.1.200 RDP-TEST
name xxx.xxx.1.5 WVTERMSRV
name xxx.xxx.1.7 WVSHAREPOINT
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.65.195 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address xxx.xxx.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name womenventure
same-security-traffic permit inter-interface
object-group service RDP-WVSERVER tcp
port-object eq 3391
object-group service RDP-TERMSRVR tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq echo
port-object eq www
port-object eq https
access-list 101 extended permit tcp any host xxx.xxx.65.195 eq www
access-list 101 extended permit tcp any host xxx.xxx.65.195 eq 3389
access-list 101 extended permit tcp any host xxx.xxx.65.195 eq https
access-list 101 extended permit tcp any host xxx.xxx.65.195 eq smtp
access-list 101 extended permit tcp any host xxx.xxx.65.195 eq 3391
access-list 101 extended permit tcp any host xxx.xxx.65.195 eq pptp
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any unreachable
access-list acl_inside extended permit tcp host WVSERVER any eq smtp
access-list acl_inside extended deny tcp any any eq smtp
access-list acl_inside extended permit ip any any
access-list outside_access_in extended permit tcp any host WVSHAREPOINT eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 WVTERMSRV 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp WVSERVER smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3391 WVSERVER 3391 netmask 255.255.255.255
static (inside,outside) tcp interface pptp WVSERVER pptp netmask 255.255.255.255
static (inside,outside) tcp interface https WVSERVER https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.65.196 https WVSHAREPOINT https netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.65.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 444
http 10.1.1.0 255.255.255.0 management
http xxx.xxx.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp outside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet xxx.xxx.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
: end
ciscoasa(config)#

Please have a look over the config and let me know where I am going wrong. Thank you!

Ron

10 Replies 10

dtochilovsky
Level 1
Level 1

Try changing the outside access list to reflect the public IP address and not the internal one :

access-list outside_access_in extended permit tcp any host x.x.65.196. eq https


And also try just simple NAT and instead of doing a port translation :

static (inside,outside) xxx.xxx.65.196 WVSHAREPOINT netmask 255.255.255.255


Dmitry.

I have tried both of these suggestions, with the same results. Timeout on the outside. I assume these were to be used together and remove the old one which I did correct?

Hi Ron,

Change the acl as below as mentioned by Dmitry earlier:

access-list outside_access_in line 1 permit tcp any host x.x.65.196 eq https

Cl xl loc WVSHAREPOINT

Try accessing it after that and see if we get any hitcounts in the acl.

HTH

Ashu

Yes, try clearing the xlates as Ashu just mentions below; that will clear any old static translations and you should be able to use the new ones. As a rule of thumb you should clear the old ones any time you make a change to the NAT...

Okay, one question... I turned on logging and is this how I view hit counts on an ACL or how is that done?

Thanks again for all your help!

Ron

Hit counts show up when you display an access list.

Run this command:  show access-list outside_access_in

and see if the count of hits at the end of the access list is increasing,

should be something like:  (hitcnt = 10).

Ahh yes, well the hit count on that ACL is showing 0.

That means, the traffic is not even making up to the firewall. We need to check if the traffic is not blocked before it reaches the firewall.

Ashu

Anything in the logs regarding that connection?

Make sure you enable logging to send logs; run this : logging enable

Hi,

Also ensure that proxyarp is enabled on the outside. Enter the following command to be sure:

no sysopt noproxyarp outside

Ashu

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: