Re: Need help to fullfil configuration

Ange OKOBET · ‎02-24-2011

Hi I'm neewbe in cisco asa configuration.

we are running with a Dlink Netdefend Firewall and because of planning to install a oracle database we intend to migrate to cisco asa 5505 appliance.

Our configuration is very simple but the oracle daabase is not compatible with d-link firewall for dynamic port opening.

here is what we have and what we need to do.

ISP allocates 8 publics IPs.

195.251.47.128/29

129 is the outside IP and 134 is the isp gateway.

we have 3 internal network

inside (for local users) - 192.168.170.0/24 (we have also on that network 1 web server)

DMZ (for ftp and web servers - some servers can be both) 192.168.171.0/24

oracle for the oracle network (we have 3 database running sqlnet v2) 192.168.169.0/24

What we need to achieve is really simple

configure asa to allow oracle trafic through it from outside interface

from 130 to 192.168.169.4

from 131 to 192.168.169.5

from 132 to 192.168.169.7

I found the following configuration for the oracle. Will this work ?

hostname(config)# class-map sqlnet-port

hostname(config-cmap)# match port tcp eq 1521

hostname(config-cmap)# exit

hostname(config)# policy-map sqlnet_policy

hostname(config-pmap)# class sqlnet-port

hostname(config-pmap-c)# inspect sqlnet

hostname(config-pmap-c)# exit

hostname(config)# service-policy sqlnet_policy interface outside

access-list 100 extended permit tcp host 192.168.169.4 host 195.250.47.130 eq sqlnet

access-list 100 extended permit tcp host 192.168.169.5 host 195.250.47.131 eq sqlnet

access-list 100 extended permit tcp host 192.168.169.7 host 195.250.47.132 eq sqlnet

class-map inspection_default match default-inspection-traffic

policy-map global_policy class inspection_default inspect sqlnet

service-policy global_policy global

The other isuue we have is static nat

192.168.171.10 is at the same time ftp and web server.

192.168.171.32 is http server

192.168.171.3 is ftp server

from 129 to 192.168.171.10 using http it's ok

from 130 to 192.168.171.10 using http it's not ok, I receive a message from the asa than i i have a duplicated nat already with the previous one.

same for ftp.

The other Issue we are trying to fix is the following:

If a request is sent from the inside to the 195.250.47.129 or 130 to port 21 we want the asa to redirect the trafic to the dmz interface for the ftp server on 192.160.171.10.

If a request is sent from the inside to the 195.250.47.130 to port 1521 we want the asa to redirect the trafic to the specified oracle server (ie 192.168.169.4).

With our actual firewall we can achieve everything except the oracle trafic not handle by our firewall.

Can anyone point me to the correct configuration documentation to try to fix all these issues ?

Once again, many thanks.

Federico Coto Fajardo · ‎02-24-2011

Hi,

To allow inbound traffic you require static NAT and ACL, for example,

static (dmz,out) 195.250.47.130 REAL_IP

static (dmz,out) 195.250.47.131 REAL_IP

static (dmz,out) 195.250.47.132 REAL_IP

access-list 100 extended permit tcp any host 195.250.47.130 eq sqlnet

access-list 100 extended permit tcp any host 195.250.47.131 eq sqlnet

access-list 100 extended permit tcp any host 195.250.47.132 eq sqlnet

access-group 100 in interface outside

The above configuration will permit inbound traffic on the above ports to the public IPs.

If you want to share the IPs you can change the static NAT for static PAT:

static (dmz,out) tcp 195.250.47.13x sqlnet REAL_IP sqlnet

The REAL_IP is the actual IP address of the server on the DMZ interface.

Hope it helps.

Federico.

Ange OKOBET · ‎02-25-2011

Ok. I get the point and i should fixe the sqlnet issue.

What di you think about the static nat issue i'm facing ?

Federico Coto Fajardo · ‎02-25-2011

For the static NAT as I mentioned you have two options:

Regular one-to-one static NAT:
static (dmz,out) 195.250.47.130 REAL_IP
static (dmz,out) 195.250.47.131 REAL_IP
static (dmz,out) 195.250.47.132 REAL_IP

Or, Port Redirection (static PAT):
static (dmz,out) tcp x.x.x.x 80 y.y.y.y 8080
static (dmz,out) tcp x.x.x.x 25 y.y.y.y 2525

The above example redirects TCP traffic received on public IP x.x.x.x on port 80 to private IP
y.y.y.y port 8080 and SMTP traffic received on the same IP to the same internal IP on port 2525

Hope it helps.

Federico.

Ange OKOBET · ‎02-25-2011

So what you are saying is that I can't get the followig working:

static (dmz,out) tcp 195.250.47.129 80 192.168.171.10 80

static (dmz,out) tcp 195.250.47.130 80 192.168.171.10 80

Do I really get it all right ?

Federico Coto Fajardo · ‎02-25-2011

Ange,

I think the answer is that you cannot.

static (dmz,out) tcp 195.250.47.129 80 192.168.171.10 80

static (dmz,out) tcp 195.250.47.130 80 192.168.171.10 80

The problem with the above is that the ASA will indeed receive TCP port 80 traffic on both public IPs and redirect that traffic to 192.168.171.10 on port 80.

The problem is, the ASA will not know to which public IP to translate the traffic (outbound) because you have two rules.

Now, if I'm not wrong, this is fixed on OS 8.3

Meaning that if you upgrade to 8.3, you can have this behavior taken care on the ASA (because of the NAT improvements added on this release).

Federico.

Ange OKOBET · ‎02-25-2011

That is great news. Will look at the release notes of ios 8.3.

One more thing I need to know. Is the ASA capable of rerouting traffic ?

I mean is it capable of the following: if a tcp request is sent from an inside user or IP to the public IP of the oracle server is asa capable of reroute the traffic to the private IP of the oracle sever.

What I want to achieve is:

192.168.170.3 port x to 195.250.47.132 port 1521 then redirect to 192.168.169.4 for exemple.

a sort proxy and as communication between inside and oracle is permitted by default.

many thanks again.

With all these requierement for my configuration which cisco device would adviced to me to fullfill the whole scenario ?

Federico Coto Fajardo · ‎02-25-2011

Ange,

Let's see if we can make is work.

For example:

static (in,out) tcp 195.250.47.132 1521 192.168.169.4 1521

The above redirects the inbound TCP traffic (received from the outside) to 195.250.47.132 on port 1521 to

the internal IP 192.168.169.4 on the same port.

But that's not exactly what you want, please explain.

Federico.

Ange OKOBET · ‎02-25-2011

basically here is how we test our websites:

create the architecture of the site and publish it on the server. then make a test from a pc on the subnet than the server, then a test from a pc on the inside but calling the private ip of the server on the dmz and finally call it from its public ip from the inside.

what we would like is for the final test, the asa to capture all packet from the inside to the outside ip 195.250.47.130 to be redirected to the private ip of the server on dmz.

Do not let the paquet access to the outside but redirect it to the server on the dmz ....

Is it a little bit more precise ?

Ange OKOBET · ‎03-15-2011

I have my ASA to software 8.3. The nat feature is a différent and the configuration is objects oriented (which is quite good).

but I still have the nat issue.

The fact that my other device publish thepublic IP using ARP proxy feature should easy the routing.

I do not have the error message saying that the nat static rule arleardy exist but my previous entry is replaced with the new statit nat entry.

So I cannot fullfil the configuration.

Hummmm tricky..........

Ange OKOBET · ‎03-24-2011

Configuration is fullfilled by uprading to 8.3.

Case can be closed.