- Posts: 4
- Thank you received: 0
Help! ASA5505 Simple port forward
16 years 2 months ago #27255
by ajass
Help! ASA5505 Simple port forward was created by ajass
I have read dozens of posts on how to configure NAT and ACL and after trying just about everything I still can't get this.
Simple setup, simple need.
I have 1 static IP from ISP, 1 web server, 5 workstations. Workstations are on same VLAN as server.
All I need is for any internet computer to be able to surf my web server using my outside static IP. How hard can this be!? Please help!
Here's what I can do:
1. Surf the internet
2. Surf the web server from inside (10.10.10.5)
Config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.45.28 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list INBOUND extended permit tcp any host xx.xx.45.28 eq www
access-list outside_access_in extended permit tcp any host xx.xx.45.28 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 10.10.10.5 xx.xx.45.28 netmask 255.255.255.255
static (inside,outside) xx.xx.45.28 10.10.10.5 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 xx.xx.45.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.85.98 68.87.69.146
dhcpd auto_config outside
!
dhcpd address 10.10.10.2-10.10.10.129 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c6fd6d43e2230d40103df56b3d4bc161
: end
P.s. When I enter ACL's via command line, they don't show up in the ASDM GUI? Am I missing something here?
I really need this device up and running, any help is greatly appreciated! Thanks!
Simple setup, simple need.
I have 1 static IP from ISP, 1 web server, 5 workstations. Workstations are on same VLAN as server.
All I need is for any internet computer to be able to surf my web server using my outside static IP. How hard can this be!? Please help!
Here's what I can do:
1. Surf the internet
2. Surf the web server from inside (10.10.10.5)
Config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.45.28 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list INBOUND extended permit tcp any host xx.xx.45.28 eq www
access-list outside_access_in extended permit tcp any host xx.xx.45.28 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 10.10.10.5 xx.xx.45.28 netmask 255.255.255.255
static (inside,outside) xx.xx.45.28 10.10.10.5 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 xx.xx.45.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.85.98 68.87.69.146
dhcpd auto_config outside
!
dhcpd address 10.10.10.2-10.10.10.129 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c6fd6d43e2230d40103df56b3d4bc161
: end
P.s. When I enter ACL's via command line, they don't show up in the ASDM GUI? Am I missing something here?
I really need this device up and running, any help is greatly appreciated! Thanks!
16 years 2 months ago #27260
by Patiot
Replied by Patiot on topic Re: Help! ASA5505 Simple port forward
Hello ,
First I have a a suggestion ,I see you have configured two static nats for the same translation ,is that right , if so you can remove the static(outside, inside)10.10.10.5 ...... translation . Static is two way translation .
Secondly you have configured access list to allow access for anyone on the internet to access your public ip in WWW port but you have not binded that accesslist to the interface , which means that there is no access list . Without an access list no body on the internet will be able to come in by default .
So configure an access-group statement .
access-group and bind the access list to the interface .
Thirdly if you want the hosts on the internet to access only the www port on the public ip then you can always configure a Static Pat .
static (inside,outside) tcp outside_ip www inside_ ip www 255.255.255.255
with appropriate access-lists .
First I have a a suggestion ,I see you have configured two static nats for the same translation ,is that right , if so you can remove the static(outside, inside)10.10.10.5 ...... translation . Static is two way translation .
Secondly you have configured access list to allow access for anyone on the internet to access your public ip in WWW port but you have not binded that accesslist to the interface , which means that there is no access list . Without an access list no body on the internet will be able to come in by default .
So configure an access-group statement .
access-group and bind the access list to the interface .
Thirdly if you want the hosts on the internet to access only the www port on the public ip then you can always configure a Static Pat .
static (inside,outside) tcp outside_ip www inside_ ip www 255.255.255.255
with appropriate access-lists .
16 years 2 months ago #27262
by ajass
Replied by ajass on topic Re: Help! ASA5505 Simple port forward
Thanks for your help Patiot. That makes sense but I'm not sure how to configure access-group statement.
I think I have the NAT set correctly.
I can currently browse the internet and I can browse my web server internally.
I tried the command: "access-group outside_access_in in interface outside" like you suggested but maybe the syntax is wrong? Doesn't this give requests coming from the outside interface a place to go on the inside interface?
Thanks for all your help, this is really frustrating.
Web server is at 192.168.1.101
here's the new config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.45.28 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) tcp 192.168.1.101 www XX.XX.45.28 www netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 XX.XX.45.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.85.98 68.87.69.146
dhcpd auto_config outside
!
dhcpd address 192.168.1.7-192.168.1.97 inside
dhcpd dns 68.87.85.98 interface inside
dhcpd wins 68.87.69.146 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0d008513736032c9e6bb6a8b8bc34975
: end
I think I have the NAT set correctly.
I can currently browse the internet and I can browse my web server internally.
I tried the command: "access-group outside_access_in in interface outside" like you suggested but maybe the syntax is wrong? Doesn't this give requests coming from the outside interface a place to go on the inside interface?
Thanks for all your help, this is really frustrating.
Web server is at 192.168.1.101
here's the new config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.45.28 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) tcp 192.168.1.101 www XX.XX.45.28 www netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 XX.XX.45.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.85.98 68.87.69.146
dhcpd auto_config outside
!
dhcpd address 192.168.1.7-192.168.1.97 inside
dhcpd dns 68.87.85.98 interface inside
dhcpd wins 68.87.69.146 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0d008513736032c9e6bb6a8b8bc34975
: end
16 years 2 months ago #27266
by Patiot
Replied by Patiot on topic Re: Help! ASA5505 Simple port forward
Here is the syntax that I took from the Cisco website .
Access Group configuration :
access-group acl_out in interface outside
And here is your access list :
access-list outside_access_in extended permit tcp any host xx.xx.45.28 eq www
So your configuration will look like this exactly :
access-group outside_access_in in interface outside .
Here is one more suggestion about the static
In you new configuration I saw a static statement as below :
static (outside,inside) tcp 192.168.1.101 www XX.XX.45.28 www netmask 255.255.255.255
IT SHOULD BE :
static (inside,outside) tcp XX.XX.45.28 www 192.168.1.101 www netmask 255.255.255.255
Because static is generally configured in the following way
Static (trusted_int,Untrusted_int) untrusted_ip trusted_ip netmask .
I don't say that the way you have configured is wrong but it will be favoring hosts that are initiating connections from the internet .
Access Group configuration :
access-group acl_out in interface outside
And here is your access list :
access-list outside_access_in extended permit tcp any host xx.xx.45.28 eq www
So your configuration will look like this exactly :
access-group outside_access_in in interface outside .
Here is one more suggestion about the static
In you new configuration I saw a static statement as below :
static (outside,inside) tcp 192.168.1.101 www XX.XX.45.28 www netmask 255.255.255.255
IT SHOULD BE :
static (inside,outside) tcp XX.XX.45.28 www 192.168.1.101 www netmask 255.255.255.255
Because static is generally configured in the following way
Static (trusted_int,Untrusted_int) untrusted_ip trusted_ip netmask .
I don't say that the way you have configured is wrong but it will be favoring hosts that are initiating connections from the internet .
16 years 2 months ago #27267
by ajass
Replied by ajass on topic Got it! thanks guys!
I got it working ! Thanks! You guys rock!
For anybody else reading this...
The following is almost the default config except for the:
Outside to Inside Nat translation
Access list
Access group
Web server on 192.168.1.100
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xxx.40.62 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list INBOUND extended permit tcp any host xx.xxx.40.62 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 200 interface
nat (inside) 200 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255 <<--- Can also be done with ADSM
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.40.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd dns 205.171.3.65 205.171.2.65 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:af66834cfaa704797482aeaad8d2c70c
: end
Thanks for your suggestions. Now its on to the VPN!
For anybody else reading this...
The following is almost the default config except for the:
Outside to Inside Nat translation
Access list
Access group
Web server on 192.168.1.100
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xxx.40.62 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list INBOUND extended permit tcp any host xx.xxx.40.62 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 200 interface
nat (inside) 200 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255 <<--- Can also be done with ADSM
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.40.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd dns 205.171.3.65 205.171.2.65 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:af66834cfaa704797482aeaad8d2c70c
: end
Thanks for your suggestions. Now its on to the VPN!
Time to create page: 0.132 seconds