ASA 5505.Any way to assign external ip to internal server? - Page 2

valeriy.vainkop · ‎03-03-2012

I have 3 external ips from my isp:

222.222.222.221

222.222.222.222

222.222.222.223

The first one I use to provide internet access to my office.

The other two I'm going to use for the following:

I'm going to deploy a server in internal network which must have 2 external ips on his network interface (& one internal ip on the second,but that's ok:))

I cannot put an extra network switch before asa & plug this server there: this server is virtual & is on esxi host in internal network.

External ips must be assigned to servers' interfacw,bot just forwarded there (ms direct access requirement).

Please help my with config as I'm also a Cisco newbie :(

My current config:

!

ASA Version 8.4(3)

!

hostname msk-office

domain-name remote.firma.ru

enable password 9tpvMyzTwlokMPIT encrypted

passwd 9tpvMyzTwlokMPIT encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.0.1 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 222.222.222.221 255.255.255.248

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone MSK/MSD 3

clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server 172.16.0.20

name-server 192.168.1.20

name-server 222.222.222.10

name-server 222.222.222.20

domain-name remote.firma.ru

object network dcenter1-internal-network

subnet 192.168.1.0 255.255.255.0

object network msk-office-internal-network

subnet 172.16.0.0 255.255.0.0

object network NETWORK_OBJ_172.16.0.0_16

subnet 172.16.0.0 255.255.0.0

object-group network obj_any

access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.0.0 object dcenter1-internal-network

access-list global_access extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static dcenter1-internal-network dcenter1-internal-network no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic any interface

access-group global_access global

route outside 0.0.0.0 0.0.0.0 222.222.222.220 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 111.111.111.111

crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map 1 set ikev2 ipsec-proposal AES256

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 20

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.0.20 192.168.1.20

dhcpd domain ad.firma.ru

dhcpd update dns

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_111.111.111.111 internal

group-policy GroupPolicy_111.111.111.111 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol ikev1 ikev2

tunnel-group 111.111.111.111 type ipsec-l2l

tunnel-group 111.111.111.111 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

valeriy.vainkop · ‎03-21-2012

>>If what you want to achieve requires you to order something additonal, then it just highlights that you didnt prepare well >>enough for the task.

ok, I'll explain it like that: I don't think that for "passthrough"ing one ip into lan additional extarnal ip is an obligatory requirement.

>>If you have traffic coming from the internet to a single IP address, and that hits the outside interface of your ASA... but you >>want some traffic to go to the internal network and some traffic to go to the TMG server, how does the ASA know what to do?

First of all I can use several interfaces, not only one. & thought it'd be the same as just using one port of asa for regular outside & one as a switch port (so it's basically the same as it is in my setup, but 2nd isp cable will go into asa, not to big office switch)

>>In your "scenario" where you have split the ISP cable... I cant even see how that would work

Think more, it just works & it's simple.

>>but you may as well throw away the ASA though because its not providing any protection

When I assign external IP to internal server all traffic goes to it & there's a TMG+UAG on it, so it's protected not by asa, yes. Other localnetwork machines are protected by asa & nothing from outside can reach them as external ip of DA server leads only to it & nowhere else in lan. As I see it as an additional measure maybe it's possible to use different vlans for it?

patrick.preuss · ‎03-20-2012

Getting additional IPs is one way and is a valid soulution.

I am not shure about 5505 but the bigger once can run in two modes.

Routed (The Default mode) or Bridged (Transparent Firewall).

Maybe you should read a little about this mode ..

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html

It depends on what you whant to achive.

And only one mode at a Time.

HTH

valeriy.vainkop · ‎03-21-2012

>>It depends on what you want to achive.

What I'm trying to achieve is written in my first post

Thanks for the article, started reading

patrick.preuss · ‎03-21-2012

Valeriy,

as allways. we dont know the whole story. so we can give a hind here and there.

ASA can do many things. They are build for simple things and more complex things.

Like Network merges with overlapping Networks.

So as allways it depends.

Routing additional addresses also valid soulution and the transparent mode also. both have pros and cons, so it is up to you to decide witch fits better.

If things help please assign Points;-)

Patrick

valeriy.vainkop · ‎03-23-2012

On my 5505 this is the solution for me (at least it goes through asa, not around it as it was):

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.0.1 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 217.173.69.70 255.255.255.248

&

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

After that connected interface Ethernet0/2 & internal big lan switch & voila!

Howether this doesn't work in my 5510 as it doesn't have a switchport & vlans are configured in some other way & as I understand I must configure some "trunking" which I never did before Any help will be much appreciated!

cordlesspass · ‎03-23-2012

Thanks man, you helped me A LOT!