ASA 5505.Any way to assign external ip to internal server?

valeriy.vainkop · ‎03-03-2012

I have 3 external ips from my isp:

222.222.222.221

222.222.222.222

222.222.222.223

The first one I use to provide internet access to my office.

The other two I'm going to use for the following:

I'm going to deploy a server in internal network which must have 2 external ips on his network interface (& one internal ip on the second,but that's ok:))

I cannot put an extra network switch before asa & plug this server there: this server is virtual & is on esxi host in internal network.

External ips must be assigned to servers' interfacw,bot just forwarded there (ms direct access requirement).

Please help my with config as I'm also a Cisco newbie :(

My current config:

!

ASA Version 8.4(3)

!

hostname msk-office

domain-name remote.firma.ru

enable password 9tpvMyzTwlokMPIT encrypted

passwd 9tpvMyzTwlokMPIT encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.0.1 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 222.222.222.221 255.255.255.248

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone MSK/MSD 3

clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server 172.16.0.20

name-server 192.168.1.20

name-server 222.222.222.10

name-server 222.222.222.20

domain-name remote.firma.ru

object network dcenter1-internal-network

subnet 192.168.1.0 255.255.255.0

object network msk-office-internal-network

subnet 172.16.0.0 255.255.0.0

object network NETWORK_OBJ_172.16.0.0_16

subnet 172.16.0.0 255.255.0.0

object-group network obj_any

access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.0.0 object dcenter1-internal-network

access-list global_access extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static dcenter1-internal-network dcenter1-internal-network no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic any interface

access-group global_access global

route outside 0.0.0.0 0.0.0.0 222.222.222.220 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 111.111.111.111

crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map 1 set ikev2 ipsec-proposal AES256

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 20

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.0.20 192.168.1.20

dhcpd domain ad.firma.ru

dhcpd update dns

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_111.111.111.111 internal

group-policy GroupPolicy_111.111.111.111 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol ikev1 ikev2

tunnel-group 111.111.111.111 type ipsec-l2l

tunnel-group 111.111.111.111 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

valeriy.vainkop · ‎03-04-2012

Anyone? :)

Latchum Naidu · ‎03-05-2012

Hi,

What I understand is that you have one virtual host which is in your LAN and that needs to be accessible from Internet
If that is what you want then you need to configure a static NAT with a specific public IP say for example....

#static (inside,outside) 222.222.222.223 10.1.2.28 netmask 255.255.255.255

Please rate the helpfull posts.
Regards,
Naidu.

valeriy.vainkop · ‎03-05-2012

Unfortunately the situation is more complicated than that:

Server must have public IPs configured on its' network interface, NOT just nated there. I mentioned it in my first post.

Is there any way to accomplish that?

Ionut.Hristea · ‎03-05-2012

Hi,

Then you must use DMZ interface and put that server in the DMZ.

valeriy.vainkop · ‎03-05-2012

This server should have 2 network adapters:

1st must have 2 public IPs on it

2nd must be in local network (172.16.0.0)

I'll be like that if I configure DMZ interface?

As you can see in my config I didn't configure it Can you tell me how to do that in order to accomplish what I need?

Thanks in advance!!

Jeff Van Houten · ‎03-05-2012

how many nics in the esx host? Couldn't you dedicate a physical nic to the external address space then attach that nic to a switch on the same segment as the external address space of the Asa?

Sent from Cisco Technical Support iPad App

valeriy.vainkop · ‎03-13-2012

This is a well known workaround, not a solution. But thanks

ai.solutions · ‎03-06-2012

Why must the public IP appear on the server's NIC? Unless there is a very good reason, the one-to-one NAT will work in almost all cases.

Also consider the security implications of having two ingress paths into your local LAN.

valeriy.vainkop · ‎03-13-2012

This is a Microsoft Direct Access requirement, do you think it's a good enough reason?

http://blog.concurrency.com/infrastructure/uag-sp1-directaccess-ip-addressing-the-server/

I'm so tired of telling people why I need this, no solution, only workarounds Some Cisco technician reading this forum could at last honestly say that it's impossible!!!

About security: I assign these external IPs to machine with MS UAG+TMG in internal network & in my opinion it's secure enough, because external traffic can go in/out only to/from these machines & not to/from any other machines in my internal network. Why do you think it's not secure?

ai.solutions · ‎03-13-2012

Order a /30 subnet from your ISP. Have it routed to your existing public IP. A /30 will give you 2 usable addresses.

Then create a new vlan on the Asa and associate it with one of your free interfaces. Connect that interface to your servers external nic. Apply one of the /30 addresses to the ASAs interface and the other address to your servers nic. Apply appropriate firewall rules to your ASA interface.

Then you can now access that server directly from the Internet using its new IP.

Sent from Cisco Technical Support iPhone App

patrick.preuss · ‎03-14-2012

Valeriy

BTW why not use the ASA for VPN or am i missing something ?

You have a lot of possibiliies to build vpns.

Cheers Patrick

valeriy.vainkop · ‎03-19-2012

We switched to Direct Access completely, because Direct Access is much better than VPN, especially for mobile users on Win7 (& all of our clients currently are on Win7).

Here are several reasons to switch to DA:

1) DA starts connection before login no matter which user you choose & to which network you're connected. There's no need to script or configure smth for that becasue Win7 have DA client capabilities embedded & it's very reliable (tested )

2) DA uses one of 3 types of tunnels depending on the situation switching from one to another & that's why it can connect you to corporate network from anywhere avoiding problems with public wifis blocking some ports & etc.

valeriy.vainkop · ‎03-19-2012

Well this also looks like some kind of workaround for me. Seriously, is it possible to accomplish what I need without ordering something additional from ISP??!!

Now I splitted ISP cable with a small switch & one cable from there goes to ASA's outside interface & the second one is plugged into big office switch directly. Works perfectly, but it's not quite secure,yeah?

ai.solutions · ‎03-19-2012

Getting additional IP addresses isnt a workaround. This is how it is done properly.

If what you want to achieve requires you to order something additonal, then it just highlights that you didnt prepare well enough for the task.

Think about this. If you have traffic coming from the internet to a single IP address, and that hits the outside interface of your ASA... but you want some traffic to go to the internal network and some traffic to go to the TMG server, how does the ASA know what to do?

In your "scenario" where you have split the ISP cable... I cant even see how that would work... but you may as well throw away the ASA though because its not providing any protection.