04-05-2013 12:42 PM
I'm trying to configure external access to our spiceworks server as well as various other software we use.
I used this to configure my cisco firewall:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bf150c.shtml
I have tested the configuration with the packet tracer and everything is going through fine.
Is there something that I'm missing?
Is there any settings in IIS or the DNS server that I need to configure?
Here are the ACL/NAT entries on my cisco for these machines.
access-list outside_acl extended permit tcp any object NBDC1 eq 1234
access-list outside_acl extended permit tcp any object Spiceworks eq 9675
object network NBDC1
nat (inside,outside) static NBDC1-external-ip service tcp 1234 www
object network inside-subnet
nat (inside,outside) dynamic interface
object network Spiceworks
nat (inside,outside) static spiceworks-external-ip service tcp 9675 www
access-group inside_access_in in interface inside
access-group outside_acl in interface outside
Another question, do I need to assign this external IP to the outside interface? Or will it just work being defined to a network object?
04-06-2013 05:58 AM
You would have asked this in security forum,
I have suggested this question to two persons whom I know and I believe they are experts in this corner.
They may help you out..
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
04-06-2013 07:14 PM
Thanks Thanveer.
Michael - if packet tracer shows OK, that means as per your testing, the traffic flow is OK via the ASA.
You don't need to assign the external IP to the outside interface, as long as the external IP is in the same subnet as the outside interface IP, or if the next hop route is routing this particular external IP to the ASA outside interface.
If the external IP is defined as above, all you need has already been configured (network object).
When you are testing it from the internet, check if you have a hit count on the access-list. If there is no hitcount, that means the traffic hasn't even hit the ASA yet.
If you are using FQDN to connect, pls ensure that the DNS resolves to the external IP defined in the network object. You can first try to access it via IP and see if that works.
Message was edited by: Jennifer Halim
04-08-2013 12:25 PM
Now the packet trace is failing. This is weird.
It's failing at a different NAT translation - nat (any,outside) dynamic obj_any-01 service any any
These are old entries that were there before I joined the company. When I delete those I lose internet access.
04-08-2013 01:53 PM
Hello Michael Bradt,
I believe your config should look something like this...
object network Spiceworks-external-ip
host 198.51.100.101
object network Spiceworks
host 192.168.1.100
nat (inside,outside) static Spiceworks-external-ip service tcp www www
object network webserver-external-ip
host 198.51.100.101
Hello Jennifer Halim,
Can you please look in to this. It was been a while I did this in firewall.....
Please rate helpful posts...
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
04-08-2013 02:22 PM
Can you please share all your NAT statements?
You can't remove the dynamic NAT as those are used for outbound access, however, I would recommend that instead of having "any", please kindly specific the actual internal LAN interface.
04-08-2013 02:33 PM
Here is my current nat config.
nat (inside,any) source static obj-inside-subnet obj-inside-subnet destination static obj-colo obj-colo
nat (inside,any) source static obj-inside-subnet obj-inside-subnet destination static obj-10.15.25.0 obj-10.15.25.0
nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static NETWORK_OBJ_10.25.10.xx NETWORK_OBJ_10.25.10.xx
nat (inside,any) source static obj-inside-subnet obj- inside-subnet destination static obj-10.20.14.0 obj-10.20.14.0
nat (inside,any) source static obj-inside-subnet obj- inside-subnet destination static obj-10.20.16.0 obj-10.20.16.0
nat (inside,any) source static obj-inside-subnet obj-inside-subnet destination static 10.20.13.0 10.20.13.0
nat (inside,outside) source static obj-inside-subnet obj-inside-subnet destination static 10.20.13.0 10.20.13.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.25.10.xx NETWORK_OBJ_10.25.10.xx
nat (inside,outside) source static NETWORK_OBJ_10.25.10.0_24 NETWORK_OBJ_10.25.10.0_24 destination static NETWORK_OBJ_10.20.15.0_24 NETWORK_OBJ_10.20.15.0_24
nat (inside,any) source static obj-inside-subnet obj-inside-subnet destination static obj-10.20.15.0 obj-10.20.15.0 description Falconer
!
object network inside-subnet
nat (inside,outside) dynamic interface
object network spiceworks
nat (inside,outside) static spiceworks-external-ip service tcp 9675 www
!
nat (any,outside) after-auto source dynamic obj_any-04 interface
nat (any,outside) after-auto source dynamic obj_any-01 interface
nat (any,outside) after-auto source dynamic obj_any-03 interface
nat (any,outside) after-auto source dynamic obj_any-02 interface
As of right now the packet is dropping at the nat. As you can see in this image.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide