Re: ASA5515 v8.6(1)2 NAT dmz public server

Phil Williamson · ‎05-16-2013

Could I get a validation that this config is correct in that it allows inbound access to the web server

and that I should be able to ping it from my inside interface.

I tried to use the example code from Cisco DocID: 115904 for DMZ WebServer, but I found the

object NAT parts did not work with my 8.6 IOS so I modified them as shown in my config.

Example from 115904 doc.

!!!!

object network WebServerPublic

host 24.25.26.80

object network WebServerPrivate

host 192.168.1.80

nat(dmz,outside) static WebServerPublic service tcp www www ---> this does not code

!!!!

With the below code I do not get a ping reply sourcing from a 10.1.0.X host to 192.168.1.80 web server.

And I cannot browse in from the outside to it either.

I do see the MAC for 192.168.1.80 in the ASA's arp cache for the dmz interface.

The web server is on a VMware ESX environment and I'm not sure it is set up correctly.

!

ASA Version 8.6(1)2

!

hostname A5515

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 24.25.26.254 255.255.255.240

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.0.252 255.255.240.0

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address 192.168.1.254 255.255.255.0

!

object network N_OBJ_10.1.0.0_20

subnet 10.1.0.0 255.255.240.0

object network N_OBJ_10.24.0.0_18

subnet 10.24.0.0 255.255.192.0

object network DNSServer

host 10.24.0.86

object network WebServerPrivate

host 192.168.1.80

object network WebServerPublic

host 24.25.26.246

object network N_OBJ_DMZ_24

subnet 192.168.1.0 255.255.255.0

!

object-group network CampusNetworks

network-object 10.1.0.0 255.255.240.0

network-object 10.24.0.0 255.255.192.0

!

access-list outside_access_in extended permit tcp any object WebServerPrivate eq https

access-list outside_access_in extended permit tcp any object WebServerPrivate eq www

!

access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks echo-reply

access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks unreachable

access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks time-exceeded

access-list dmz_access_in extended permit udp any object DNSServer eq domain

access-list dmz_access_in extended deny ip any object-group CampusNetworks

access-list dmz_access_in extended permit ip any any

!

nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface

nat (dmz,outside) source static WebServerPrivate WebServerPublic

nat (inside,dmz) source static CampusNetworks CampusNetworks

!

nat (inside,outside) after-auto source dynamic CampusNetworks interface

!

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

!

route outside 0.0.0.0 0.0.0.0 24.25.26.241 1

route inside 10.24.0.0 255.255.192.0 10.1.0.254 1

!

Thanks

Jouni Forss · ‎05-16-2013

Hi,

You have some conflicting NAT configurations

For example you have this

nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface

This overrides your Static PAT configuration that you are trying to achieve

Also one note regarding one of your NAT configurations

nat (inside,dmz) source static CampusNetworks CampusNetworks

You dont need NAT between local interfaces. No nat is done by default. So the traffic between "dmz" and "inside" should go trough untranslated without any need for NAT configurations.

If you want, you could change your current configurations to the following. Note that you would have to remove your existing NAT configurations.

object-group network DEFAULT-PAT-SOURCE

network-object 10.1.0.0 255.255.240.0

network-object 10.24.0.0 255.255.192.0

network-object 192.168.1.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

The above configuration handles the Default PAT for all your networks. Both "dmz" and "inside".

object network WEB-SERVER

host 192.168.1.80

nat (dmz,outside) static interface service tcp 80 80

access-list outside_access_in permit tcp any object WEB-SERVER eq 80

access-list outside_access_in permit tcp any object WEB-SERVER eq 443

The above does the Static PAT (or Port Forward) for your DMZ server and allows the traffic on the ACL.

- Jouni

Phil Williamson · ‎05-16-2013

Jouni,

Thanks for your prompt reply.

I also need to static nat my webserver so don't I still need:

object network WebServerPublic

host 24.25.26.27

object network WebServerPrivate

host 192.168.1.80

nat (dmz,outside) static WebServerPrivate WebServerPublic

I don't want to nat my web server to the outside intferface IP.

Thx,

Phil

Jouni Forss · ‎05-16-2013

Hi,

In the most basic form the Static NAT can be configured with

object network WEB-SERVER

host 192.168.1.80

nat (dmz,outside) static 24.25.26.27

To my understanding with the Default PAT configuration I mentioned and either Static PAT or Static NAT you should be able to connect to the server with public IP address from "outside" and with local IP address from "inside"

If you need to access server with public IP address from "inside" you need some additional NAT configurations.

Did you test the above configurations? Does connection work yet?

It seems to me atleast that the "dynamic" rule listed first in your configurations would override any "dmz" related NAT configuration.

Hope this helps

Remember to mark replys as correct answer if they answred your question. Or ask more if needed

- Jouni

Phil Williamson · ‎05-16-2013

Jouni,

!

I have made the changes you recommened:

object-group network DEFAULT-PAT-SOURCE

network-object 10.1.0.0 255.255.240.0

network-object 10.24.0.0 255.255.192.0

network-object 192.168.1.0 255.255.255.0

!

object network WebServerPublic

host 24.25.26.27

object network WebServerPrivate

host 192.168.1.80

nat (dmz,outside) static WebServerPublic

!

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

!

All of my packet tracing and debugging says this should work, but I still cannot ping the private IP, nor browse to the public from the outside. I will have to wait for the VMware vendor to look at their config before I make any more comments.

-Phil