03-14-2011 11:50 PM - edited 03-11-2019 01:06 PM
Hi
I need to fullfill the below configuration which is working fine on my actual D-Link Netdefend firewall.
We have a range of IP assign by our ISP : 194.250.47.128/29
194.250.47.129 is the firewall IP and 134 the isp gateway.
We have 4 interfaces
- The local user interface: lan =192.168.170.1/24
- The servers interface : dmz =192.168.171.1/24
- The database interface : oracle=192.168.169.1/24
- The internet interface : wan=194.250.47.129/24
so i duplicate the configuration on the asa 5505
- Inside
- dmz
- oracle
- outside
on the dmz we have servers running http and ftp at the same time
so to fullfil the config on D-Link the publish on the wan interface all our public ips using arp proxy feature.
then we can make sat from the wan to the lan interface of dfl.
so we permit the following
if a request from internet reach the 194.250.47.129 for ftp then redirect it to 192.168.171.3 for ftp
194.250.47.130 for ftp 192.168.170.102 for port 6128
194.250.47.131 for ftp 192.168.171.10 for ftp
194.250.47.132 for ftp 192.168.171.10 for ftp
194.250.47.129 for www then redirect it to 192.168.171.10 for www
194.250.47.130 for www 192.168.171.10 for www
194.250.47.131 for www 192.168.171.10 for www
194.250.47.132 or www 192.168.171.10 for www
same type for oracle database running sqlnet v2
if a request from internet reach 194.250.47.132 for 1521 then redirect to 192.168.169.4
if a request from the lan to the 194.250.47.129 then redirect the paquet to 192.168.171.10
This is what we have working on the D-Link except the oracle database.
So i try to duplicate same configuration on asa 5505 software 8.3
i can not have ftt from 131 and 132 static pat to 192.168.171.10. When trying it the ASA replace the previous entry with the new entry.
same for www and 131 and 132 to 192.168.171.10. Same behaviour than with ftp.
can someone help me sort out the issue with ftp and www and guide me through sqlnet configuration.
03-15-2011 05:52 AM
Hi Ange,
Unfortunately, you can currently only configure 1 NAT rule per object (we have an enhancement request CSCte96293 filed to change this in the future). Therefore, if you configure a 2nd NAT rule in the same object it will overwrite the 1st one.
Try this configuration instead:
object network obj-192.168.171.3
host 192.168.171.3
nat (dmz,outside) static 194.250.47.129 service tcp ftp ftp
object network obj-192.168.170.102
host 192.168.170.102
nat (inside,outside) static 194.250.47.130 service tcp 6128 ftp
object network obj-192.168.171.10-ftp1
host 192.168.171.10
nat (dmz,outside) static 194.250.47.131 service tcp ftp ftp
object network obj-192.168.171.10-ftp2
host 192.168.171.10
nat (dmz,outside) static 194.250.47.132 service tcp ftp ftp
object network obj-192.168.171.10-www1
host 192.168.171.10
nat (dmz,outside) static 194.250.47.129 service tcp www www
object network obj-192.168.171.10-www2
host 192.168.171.10
nat (dmz,outside) static 194.250.47.130 service tcp www www
object network obj-192.168.171.10-www3
host 192.168.171.10
nat (dmz,outside) static 194.250.47.131 service tcp www www
object network obj-192.168.171.10-www4
host 192.168.171.10
nat (dmz,outside) static 194.250.47.132 service tcp www www
!
access-list outside_access_in permit tcp any host 192.168.171.3 eq ftp
access-list outside_access_in permit tcp any host 192.168.170.102 eq 6128
access-list outside_access_in permit tcp any host 192.168.171.10 eq ftp
access-list outside_access_in permit tcp any host 192.168.171.10 eq www
access-group outside_access_in in interface outside
Hope that helps.
-Mike
03-15-2011 11:10 PM
Hi Mike,
It seems to work. will test it.
By the way can you help me regarding sqlnet inspection.
Is it enable by defaukt ? Do I need to enable it ?
How to write the acl to permit a trafic coming on 194.250.47.130 to be redirect to the oracle database on 192.168.169.4 ?
many thanks .
03-16-2011 05:53 AM
Hi Ange,
Yes, SQLnet inspection is enabled by default. You can enable it globally like this:
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect sqlnet
!
service-policy global_policy global
To setup NAT for the Oracle server, you can use the examples I posted previously as a template. Just change the IPs and interfaces where needed:
object network obj-192.168.169.4
host 192.168.169.4
nat (oracle,outside) static 194.250.47.130 service tcp 1521 1521
!
access-list outside_access_in permit tcp any host 192.168.169.4 eq 1521
Hope that helps.
-Mike
03-17-2011 12:20 PM
Hi Mike,
Many thanks.
Will deploy the cisco with the databases and check how that works.
Will continue thread if encounter any other issues ..
Many thanks again.
Ange
03-23-2011 05:09 AM
I have implemented the configuration as we discussed and needed some fine tunes regarding sqlnet.
I had to modify the access rule not to point to sqlnet service but to do a static nat and access rule for ports above 1024 and it is working fine.
my last question is regarding this issue:
request sent from the inside to outside.
I want the asa to capture paquet and to redirect the request to the dmz or oracle interface.
Is this doable ?
03-25-2011 02:53 AM
I encounter again an issue.
If I try to nat 194.250.47.131 to 192.168.170.32 and 192.168.171.10 for www service, the firewall complains about overlapping issue.
In my understanding that should not prevent the cisco to process the packets correctly to the private IPs ?
03-28-2011 09:01 AM
Hello,
I sort out the issue.
The configuration is running as expected.
Need now to add the dual wan for inbound connections on second isp interface.
Many thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: