10-27-2013 02:01 PM - edited 03-11-2019 07:56 PM
So I have an ASA 5510 8.4 with a WAN IP of 123.123.123.54 and inside network of 192.168.3.0
I have a server at 192.168.3.25 that 123.123.123.54 is NATted to. I need to do one of two things. Either I need to be able to get the ASA to allow ASDM/SSH on the outside interface on a second public IP, or I need to be able to exempt a port from the 1:1 nat on 123.123.123.54.
Running Config
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password REDACTED encrypted
passwd REDACTED encrypted
names
name 206.128.xx.xxx Cash1HQ description Cash1 Reno Admin Office
name 192.168.3.25 Trixbox_IN
name 208.70.xx.xxx Trixbox_OUT
!
interface Ethernet0/0
description Outside Interface
nameif outside
security-level 0
ip address 208.70..xx.xxx 255.255.255.240
!
interface Ethernet0/1
description LAN Interface
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Management
security-level 20
ip address 192.168.2.225 255.255.255.0
management-only
!
ftp mode passive
object-group service RTP udp
port-object range 10000 20000
object-group service SIPS udp
port-object eq sip
port-object eq 5061
port-object eq 5065
port-object eq 5070
port-object range 10000 20000
object-group service RTP2 udp
port-object range 10000 20000
object-group network Trixbox
description CM Retail Trixbox
network-object host Trixbox_IN
object-group network SSH_USERS
network-object host 208.81.xx.xxx
network-object host 99.187.xxx.xxx
network-object host 64.134.xxx.xx
network-object host 208.70.xx.xx
network-object host 172.56.xx.xxx
network-object host 166.147.xx.xxx
network-object 166.147.0.0 255.255.0.0
network-object host 99.69.xxx.xxx
access-list 101 extended deny ip host 208.70.186.52 any
access-list 101 extended permit tcp object-group SSH_USERS interface outside eq ssh
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any host Trixbox_OUT eq 8000
access-list 101 extended permit tcp any host Trixbox_OUT eq 9000
access-list 101 extended permit tcp any host Trixbox_OUT eq www
access-list 101 extended permit tcp any host Trixbox_OUT eq https
access-list 101 extended permit tcp any host Trixbox_OUT eq 9001
access-list 101 extended permit tcp any host Trixbox_OUT eq 9002
access-list 101 extended permit tcp any host Trixbox_OUT eq 9003
access-list 101 extended permit tcp any host Trixbox_OUT eq 9004
access-list 101 extended permit tcp any host Trixbox_OUT eq 9005
access-list 101 extended permit tcp any host Trixbox_OUT eq 8005
access-list 101 extended permit tcp any host Trixbox_OUT eq 8004
access-list 101 extended permit tcp any host Trixbox_OUT eq 8003
access-list 101 extended permit tcp any host Trixbox_OUT eq 8002
access-list 101 extended permit tcp any host Trixbox_OUT eq 8001
access-list 101 extended permit tcp any host Trixbox_OUT eq 5222
access-list 101 extended permit tcp any host Trixbox_OUT eq 5269
access-list 101 extended permit tcp host 208.81.50.229 host Trixbox_OUT eq ssh
access-list 101 extended permit tcp host 99.187.148.169 host Trixbox_OUT eq ssh
access-list 101 extended permit udp host 192.153.5.141 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 24.120.115.53 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 24.234.196.79 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 24.234.123.43 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 24.234.142.41 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 24.234.158.37 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 24.234.136.38 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 69.26.227.50 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 69.26.227.51 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 69.26.227.52 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 69.26.227.53 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 69.26.227.54 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 98.172.95.174 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 70.167.223.2 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 174.79.52.218 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 174.79.52.219 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 65.101.36.254 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 68.14.238.114 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 98.172.79.121 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 98.172.64.7 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 68.110.169.178 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 68.110.171.130 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 69.71.162.230 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 98.174.224.213 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 64.130.243.94 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 66.214.111.38 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 68.231.110.25 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 63.229.66.145 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 24.176.187.42 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 24.176.187.43 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 24.176.187.44 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 24.176.187.45 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 24.176.187.46 host Trixbox_OUT object-group SIPS
access-list 101 extended permit udp host 208.81.50.229 host Trixbox_OUT object-group SIPS
access-list 101 extended permit tcp host 64.134.154.98 host Trixbox_IN eq ssh
access-list 101 extended permit tcp host 64.134.154.98 host Trixbox_OUT eq ssh
access-list 101 extended permit tcp host Cash1HQ host Trixbox_OUT eq ssh
access-list 101 extended permit tcp host 208.70.186.53 host Trixbox_OUT eq ssh
access-list 101 extended permit tcp host 172.56.7.131 host Trixbox_OUT eq telnet
access-list 101 extended permit tcp host 172.56.7.131 host Trixbox_OUT eq ssh
access-list 101 extended permit udp host Cash1HQ host Trixbox_OUT object-group SIPS
access-list 101 extended permit tcp 172.56.0.0 255.255.0.0 host Trixbox_OUT eq ssh
access-list 101 extended permit udp host 216.147.191.159 host Trixbox_OUT eq sip
access-list 101 extended permit udp any host Trixbox_OUT object-group RTP2
access-list 101 extended deny udp any host Trixbox_OUT eq 3478 log disable
access-list 101 extended permit udp host Cash1HQ host Trixbox_OUT eq ntp
access-list 101 extended permit tcp host 166.147.72.149 host Trixbox_OUT eq ssh
access-list 101 extended permit tcp 166.147.0.0 255.255.0.0 host Trixbox_OUT eq ssh
!
tcp-map nostate
!
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging asdm informational
mtu outside20 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 2
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.3.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) interface Trixbox_IN netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 208.70.186.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http xx.xxx.xxx.169 255.255.255.255 outside
http xxx.xxx.xxx.253 255.255.255.255 outside
http Trixbox_IN 255.255.255.255 inside
http 192.168.2.0 255.255.255.0 outside20
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 172.56.0.0 255.255.0.0 outside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 30
ssh 208.70.xx.xxx 255.255.255.255 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh Trixbox_IN 255.255.255.255 inside
ssh timeout 30
console timeout 0
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.3.2-192.168.3.50 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username REDACTED password REDACTED encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ipsec-pass-thru
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:098680e928f5895f540d0d6d858c3879
: end
10-27-2013 02:12 PM
Hi,
This configuration is not from an ASA with 8.4 software though the real software level actually shows in the output (8.0(4))
There is no way to exempt some certain port from a Static NAT configuration. I guess the reason for configuring Static NAT in such a way is because with Static PAT you would have to configure a huge number of Static PAT configurations for each port you need to forward.
Since you have used the "interface" IP address in the Static NAT configuration and considering the above thing, I dont see many options here.
The least appealing option would probably be to configure Static PAT for each port that you need to forward so that you don't cause problems for remote management connections.
I am not 100% sure if another option would even work because of the Static NAT configuration. That option was to configure a IPsec Client VPN and configure "management-access inside" and connect to the ASA through the VPN connection using the IP address of "inside" interface. But as I said I am not sure if this is going to work since you got a Static NAT configuration that essentially forward all the ports from the "outside" interface IP address to the internal server.
Naturally getting an extra public IP address from the ISP might be an option also.
Otherwise you should probably consider configuring Static PAT for the ports required even though it generates a huge amount of configurations. You could easily generate the configuration itself with some text editor. To be honest I have not tried to insert such a large Static PAT configuration on an ASA so I am not sure if it has any effect on performance. I would imagine it takes some extra memory atleast.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide