Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
797
Views
0
Helpful
7
Replies

Problem with configuring Cisco ASA

Harry2012
Level 1
Level 1

‎07-17-2014 01:12 AM - edited ‎03-11-2019 09:29 PM

Hi All,

I've been doing a lot of research into whether or not you can assign multiple public IP addresses to the external interface of a Cisco ASA 5515-X appliance running v8.6. Can anyone confirm whether they have been able to achieve this?

We are facing a challenge whereby we have 3 applications that require public access on TCP 443. These include:

- Outlook Web Access (OWA)

- Microsoft ADFS

- Custom Web App

We have a single internet connection with a /29 address space (e.g. 10.0.0.0/29), which connects directly into the ASA. We are in the process of migrating to Office365 so OWA is not going to be a problem but we cannot change the ADFS default port (TCP 443) due to a dependency on external services and we would like our users to be able to access the Custom Web App on TCP 443 through a simple URL (e.g. https://www.<custom-app>.com) as well.

In order to support this configuration, is it possible for us to assign an additional public IP from our /29 address space to the single external interface on the ASA? For example:

ADFS = adfs.domain.com point to 10.0.0.1 on TCP443

Custom App = https://www.<custom-app>.com point to 10.0.0.2 on TCP443

Alternatively, what would be your suggested approach?

Cheers

Labels:
0 Helpful
7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

‎07-17-2014 01:33 AM

Hi,

 

Just want to clarify one thing from the start. I assume that we are NOT talking about getting an additional public subnet on your ASAs external interface? (in addition to the current /29 subnet)

 

I assume that you are simply talking about using another public IP address from the /29 subnet for the purposes of providing access to internal server? Or did I understand something wrong?

 

If you simply want to utilize multiple IP addresses from the /29 subnet on your ASA towards the external network then you only need to configure the NAT configuration using the appropriate public IP address. The IP address itself will not be configured/mentioned in any interface configuration. (Your interface already holds the /29 subnet)

 

Now the question to determine the correct type of NAT configurations comes down to the fact that do you  want to utilize a single public IP address completely to an internal IP address (you will naturally have to use different public IP addresses since you are using an overlapping port but the NAT type can be different) or do you only want to bind the port TCP/443 from each of the public IP addresses to the corresponding local IP address of the server? (Which would leave you some room in future to configure additional port forwards using these public IP address to internal hosts if you ran out of public IP addresses)

 

So either configuring Static NAT (1:1 translation for the IP) or Static PAT (Port Forward)

 

A Static NAT configuration in the new NAT format is configured like this for example

 

object network SERVER-1
 host <local ip>
 nat (sourceint,destint) static <public nat ip>

 

A Static PAT configuration in the new NAT format is configured like this

 

object network SERVER-1-STATIC-PAT
 host <local ip>
 nat (sourceint,destint) static <public nat ip> service <tcp/udp> <real port> <mapped port>

 

There is a different way to configure both of the above type of NAT configurations but I personally prefer to use the above format.

 

In the above configurations the "sourceint" should be replaced with the interface "nameif" behind which the internal host is located and the "destint" should be replaced with the interface "nameif" of the interface towards which the NAT is performed. In simple setups the names are the default ones "inside" and "outside". Naturally the "object" names can be anything you want.

 

If you are wondering why the public IP addresses which are not configured in any interface are working when used in the NAT configurations then the answer is that when the traffic towards these public IP addresses comes to your ISP and the packet reaches the gateway interface of the ISP that holds this /29 subnet then the ISP gateway will send an ARP request to determine the MAC address of the public IP address. The ASA will see this ARP request and answer to the ARP request with its external interfaces MAC address (Proxy ARP) and because of this the ISP will know where to forward the traffic destined to this IP address.

 

Hope this helps :)

 

- Jouni

 

 

 

0 Helpful

Harry2012
Level 1
Level 1
In response to Jouni Forss

‎07-21-2014 03:09 AM

Hi Jouni,

Thanks for your detailed response, it is greatly appreciated.

With regards to your comments - see below:

Just want to clarify one thing from the start. I assume that we are NOT talking about getting an additional public subnet on your ASAs external interface? (in addition to the current /29 subnet)

That is correct. I'm wanting to use the existing /29 subnet.

I assume that you are simply talking about using another public IP address from the /29 subnet for the purposes of providing access to internal server? Or did I understand something wrong?

Your assumption is correct. At present, we have two services (ADFS and Custom_App) that require HTTP/S access on TCP443. The intention is to have the following

 - 10.0.0.1:443 pointing to the ADFS environment

 - 10.0.0.2:443 pointing to the Custom_App environment

DNS records will be updated accordingly in order that the A records point to the corresponding public IP address detailed above. I tried to configure the static PAT option using the ASDM toolset (as we only have read access on the CLI access - dont ask wink) but I came across some problems that I was hoping you could help me with.

In terms of the configuration on ASDM, Im assuming it should be:

Add "Network Object"

 - Name: Custom_App

 - Type: Host

 - IP Address: Internal Host Address of Web Server

Select "Add Automatic Address Translation Rules"

 - Type: Static

 - Translated Address: External Public IP address (10.0.0.2)

Select "Advanced"

 - Source Interface: Interface to which the Custom_App server is connected

 - Destination Interface: Choose the WAN interface

 - Protocol: TCP

 - Real Port: HTTPS-plain (i.e. 443)

 - Mapped Port: HTTPS-plain (i.e. 443)

 

Also, from a ACL perspective, am I right in assuming that this should literally be:

 - Interface <WAN>

 - Action <permit>

 - Source <any>

 - Destination <Custom_App> (i.e. the Object I created for the static PAT rule.)

 

Thanks again for all your help with this, its much appreciated.

Kind Regards,

 

 

Harry

 

 

 

 

 

 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Harry2012

‎07-21-2014 03:26 AM

Hi,

 

I dont personally use the ASDM at all for ACL or NAT configurations but looking through my own ASAs ASDM I would suggest doing the following

 

  • Open ASDM and go to Configuration -> Firewall -> NAT Rules
  • Click the right mouse button on the empty space in the center of the ASDM window and select "Add Network Object NAT Rule..."
  • Configure the parameters to match your situation
    • Name: Give the name describing the purpose and the port used (Since you are configuring Static PAT)
    • IP address: Give the local/real IP address of the host
    • Type: Static (it might be defaulted to this setting already)
    • Translated Addr: You can type the public IP address you want to use here. If you were using an interface IP address on the ASA you could choose the interface name from the list
  • Click on the "Advanced" to open the other window
    • Source Interface: Where the actual host is located
    • Destination Interface: The interface towards which you want to perform the translation
    • Service: TCP
    • Real Port: The actual port/service on the host
    • Mapped Port: The port mapped on the destination interface

 

I guess I pretty much stated the same thing  you mentioned again but wanted to check the actual configuration window myself as I barely use the ASDM for configurations.

 

In the ACLs you can use the "object" that you create for the NAT configurations. The main thing is that with the new ASA software (8.3 and above) you will have to allow traffic towards the actual/local/real IP address of the host. (Even if the traffic is coming from the external network)

 

Hope this helps :)

 

- Jouni


 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎07-21-2014 03:28 AM

Also,

 

If you want to check what the ASDM actually sends to the ASA you can check if you have the following setting enabled on the ASDM

 

Tools (menu) -> Preferences -> Preview commands before sending them to the device

 

This will show you the CLI format configurations the ASDM is about to send the ASA before it sends them.

 

Hope this helps :)

 

- Jouni

0 Helpful

Harry2012
Level 1
Level 1
In response to Jouni Forss

‎07-21-2014 01:48 PM

 

Hi Jouni,

That is brilliant, thanks for sending that through.

I've applied the configs as suggested and when I test it via a browser, it comes back with 10.0.0.2 is not available. I've used the Packet Tracer in ASDM and it fails due to the following NAT configuration dropping the packets:

nat (LAN2, WAN) source dynamic any interface dns description Interface NAT for LAN2 -> WAN

After running a show run through the ASDM, the configs are as follows:

Please note I have replaced the actual IP addresses/names with dummy ones for security purposes.

object network CUSTOM_APP
 host 192.168.1.10

object network EXTRA_WAN_IP
 host 10.0.0.2

object network CUSTOM_APP
 nat (LAN2,WAN) static 10.0.0.2 service tcp https https 

access-list WAN_access_in extended permit object https-plain any object 192.168.1.10

access-list global_access extended permit object https-plain any object CUSTOM_APP

Am I missing something?

Cheers,

 

Harry

0 Helpful

turbo_engine26
Level 4
Level 4

‎07-20-2014 04:49 PM

Simply, use a public IP from your existing /29 address space in your static PAT configuration instead of assigning it to the interface itself. Just configure a couple of static PATs for each app using its own public IP.

0 Helpful

Harry2012
Level 1
Level 1
In response to turbo_engine26

‎07-21-2014 03:10 AM

I tried to configure the static PAT option using the ASDM toolset (as we only have read access on the CLI access - dont ask wink) but I came across some problems that I was hoping you could help me with.

In terms of the configuration on ASDM, Im assuming it should be:

Add "Network Object"

 - Name: Custom_App

 - Type: Host

 - IP Address: Internal Host Address of Web Server

Select "Add Automatic Address Translation Rules"

 - Type: Static

 - Translated Address: External Public IP address (10.0.0.2)

Select "Advanced"

 - Source Interface: Interface to which the Custom_App server is connected

 - Destination Interface: Choose the WAN interface

 - Protocol: TCP

 - Real Port: HTTPS-plain (i.e. 443)

 - Mapped Port: HTTPS-plain (i.e. 443)

 

Also, from a ACL perspective, am I right in assuming that this should literally be:

 - Interface <WAN>

 - Action <permit>

 - Source <any>

 - Destination <Custom_App> (i.e. the Object I created for the static PAT rule.)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card