cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
881
Views
0
Helpful
1
Replies

ASDM Access on outside interface with 1:1 NAT

starpoint09
Beginner
Beginner

So I have an ASA 5510 8.4 with a WAN IP of 123.123.123.54  and inside network of 192.168.3.0

I have a server at 192.168.3.25 that 123.123.123.54 is NATted to.   I need to do one of two things.  Either I need to be able to get the ASA to allow ASDM/SSH on the outside interface on a second public IP, or I need to be able to exempt a port from the 1:1 nat on 123.123.123.54.

Running Config

: Saved

:

ASA Version 8.0(4)

!

hostname ciscoasa

enable password REDACTED encrypted

passwd REDACTED encrypted

names

name 206.128.xx.xxx Cash1HQ description Cash1 Reno Admin Office

name 192.168.3.25 Trixbox_IN

name 208.70.xx.xxx Trixbox_OUT

!

interface Ethernet0/0

description Outside Interface

nameif outside

security-level 0

ip address 208.70..xx.xxx 255.255.255.240

!

interface Ethernet0/1

description LAN Interface

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif Management

security-level 20

ip address 192.168.2.225 255.255.255.0

management-only

!

ftp mode passive

object-group service RTP udp

port-object range 10000 20000

object-group service SIPS udp

port-object eq sip

port-object eq 5061

port-object eq 5065

port-object eq 5070

port-object range 10000 20000

object-group service RTP2 udp

port-object range 10000 20000

object-group network Trixbox

description CM Retail Trixbox

network-object host Trixbox_IN

object-group network SSH_USERS

network-object host 208.81.xx.xxx

network-object host 99.187.xxx.xxx

network-object host 64.134.xxx.xx

network-object host 208.70.xx.xx

network-object host 172.56.xx.xxx

network-object host 166.147.xx.xxx

network-object 166.147.0.0 255.255.0.0

network-object host 99.69.xxx.xxx

access-list 101 extended deny ip host 208.70.186.52 any

access-list 101 extended permit tcp object-group SSH_USERS interface outside eq ssh

access-list 101 extended permit icmp any any

access-list 101 extended permit tcp any host Trixbox_OUT eq 8000

access-list 101 extended permit tcp any host Trixbox_OUT eq 9000

access-list 101 extended permit tcp any host Trixbox_OUT eq www

access-list 101 extended permit tcp any host Trixbox_OUT eq https

access-list 101 extended permit tcp any host Trixbox_OUT eq 9001

access-list 101 extended permit tcp any host Trixbox_OUT eq 9002

access-list 101 extended permit tcp any host Trixbox_OUT eq 9003

access-list 101 extended permit tcp any host Trixbox_OUT eq 9004

access-list 101 extended permit tcp any host Trixbox_OUT eq 9005

access-list 101 extended permit tcp any host Trixbox_OUT eq 8005

access-list 101 extended permit tcp any host Trixbox_OUT eq 8004

access-list 101 extended permit tcp any host Trixbox_OUT eq 8003

access-list 101 extended permit tcp any host Trixbox_OUT eq 8002

access-list 101 extended permit tcp any host Trixbox_OUT eq 8001

access-list 101 extended permit tcp any host Trixbox_OUT eq 5222

access-list 101 extended permit tcp any host Trixbox_OUT eq 5269

access-list 101 extended permit tcp host 208.81.50.229 host Trixbox_OUT eq ssh

access-list 101 extended permit tcp host 99.187.148.169 host Trixbox_OUT eq ssh

access-list 101 extended permit udp host 192.153.5.141 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 24.120.115.53 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 24.234.196.79 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 24.234.123.43 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 24.234.142.41 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 24.234.158.37 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 24.234.136.38 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 69.26.227.50 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 69.26.227.51 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 69.26.227.52 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 69.26.227.53 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 69.26.227.54 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 98.172.95.174 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 70.167.223.2 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 174.79.52.218 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 174.79.52.219 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 65.101.36.254 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 68.14.238.114 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 98.172.79.121 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 98.172.64.7 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 68.110.169.178 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 68.110.171.130 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 69.71.162.230 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 98.174.224.213 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 64.130.243.94 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 66.214.111.38 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 68.231.110.25 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 63.229.66.145 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 24.176.187.42 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 24.176.187.43 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 24.176.187.44 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 24.176.187.45 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 24.176.187.46 host Trixbox_OUT object-group SIPS

access-list 101 extended permit udp host 208.81.50.229 host Trixbox_OUT object-group SIPS

access-list 101 extended permit tcp host 64.134.154.98 host Trixbox_IN eq ssh

access-list 101 extended permit tcp host 64.134.154.98 host Trixbox_OUT eq ssh

access-list 101 extended permit tcp host Cash1HQ host Trixbox_OUT eq ssh

access-list 101 extended permit tcp host 208.70.186.53 host Trixbox_OUT eq ssh

access-list 101 extended permit tcp host 172.56.7.131 host Trixbox_OUT eq telnet

access-list 101 extended permit tcp host 172.56.7.131 host Trixbox_OUT eq ssh

access-list 101 extended permit udp host Cash1HQ host Trixbox_OUT object-group SIPS

access-list 101 extended permit tcp 172.56.0.0 255.255.0.0 host Trixbox_OUT eq ssh

access-list 101 extended permit udp host 216.147.191.159 host Trixbox_OUT eq sip

access-list 101 extended permit udp any host Trixbox_OUT object-group RTP2

access-list 101 extended deny udp any host Trixbox_OUT eq 3478 log disable

access-list 101 extended permit udp host Cash1HQ host Trixbox_OUT eq ntp

access-list 101 extended permit tcp host 166.147.72.149 host Trixbox_OUT eq ssh

access-list 101 extended permit tcp 166.147.0.0 255.255.0.0 host Trixbox_OUT eq ssh

!

tcp-map nostate

!

pager lines 24

logging enable

logging console debugging

logging monitor debugging

logging asdm informational

mtu outside20 1500

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 2

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.3.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) interface Trixbox_IN netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 208.70.186.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http xx.xxx.xxx.169 255.255.255.255 outside

http xxx.xxx.xxx.253 255.255.255.255 outside

http Trixbox_IN 255.255.255.255 inside

http 192.168.2.0 255.255.255.0 outside20

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 172.56.0.0 255.255.0.0 outside

telnet 192.168.3.0 255.255.255.0 inside

telnet timeout 30

ssh 208.70.xx.xxx 255.255.255.255 outside

ssh 192.168.0.0 255.255.0.0 inside

ssh Trixbox_IN 255.255.255.255 inside

ssh timeout 30

console timeout 0

dhcpd dns 8.8.8.8

!

dhcpd address 192.168.3.2-192.168.3.50 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

username REDACTED password REDACTED encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect ipsec-pass-thru

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:098680e928f5895f540d0d6d858c3879

: end

1 Reply 1

Jouni Forss
Mentor
Mentor

Hi,

This configuration is not from an ASA with 8.4 software though the real software level actually shows in the output (8.0(4))

There is no way to exempt some certain port from a Static NAT configuration. I guess the reason for configuring Static NAT in such a way is because with Static PAT you would have to configure a huge number of Static PAT configurations for each port you need to forward.

Since you have used the "interface" IP address in the Static NAT configuration and considering the above thing, I dont see many options here.

The least appealing option would probably be to configure Static PAT for each port that you need to forward so that you don't cause problems for remote management connections.

I am not 100% sure if another option would even work because of the Static NAT configuration. That option was to configure a IPsec Client VPN and configure "management-access inside" and connect to the ASA through the VPN connection using the IP address of "inside" interface. But as I said I am not sure if this is going to work since you got a Static NAT configuration that essentially forward all the ports from the "outside" interface IP address to the internal server.

Naturally getting an extra public IP address from the ISP might be an option also.

Otherwise you should probably consider configuring Static PAT for the ports required even though it generates a huge amount of configurations. You could easily generate the configuration itself with some text editor. To be honest I have not tried to insert such a large Static PAT configuration on an ASA so I am not sure if it has any effect on performance. I would imagine it takes some extra memory atleast.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers