ASA 5505 DMZ/Web server configuration

Its no problem, the way that you have configured the Static Command, is mapping your external IP Address to your Internal DMZ server. This is setting up a NAT, i.e. when the webserver wants to access the internet it uses that IP Address (always) and is fixed to that ip address.

now, you can configure the static to create a direct PAT translation (dunno if thats its official term but you can think of it like that). You can therefore assign it further by specifying Ports aswell. In my example i used

[code:1]static (inside,outside) tcp interface http 172.16.0.2 http netmask 255.255.255.255 [/code:1]

Here, you are creating the static mapping only for ports 80 that go to port 80 on the inside (there is nothing stopping you from mapping port 80 going to port 8002 on the inside if you so wish).

No then, any other machines from inside the network, can use the outside address for the global/nat statements. I would guess (but i may be wrong) that if you didn't do this, other machines would be unable to access the internet as it would not be able to use an external address (or at the very least it would get confused about it)

Hope it makes sense

Cheers

I believe I understand what you are saying. With my current configuration, I am using the external IP address solely for the web server, when I could be using it, at the PAT level, just for port 80. Is that correct?

Also, this is not my only external IP address. We have a range of IP addresses, and the internal clients are not using the external IP address of the web server. Would this eliminate the problem?

I believe I understand what you are saying. With my current configuration, I am using the external IP address solely for the web server, when I could be using it, at the PAT level, just for port 80. Is that correct?

Yes thats correct

Also, this is not my only external IP address. We have a range of IP addresses, and the internal clients are not using the external IP address of the web server. Would this eliminate the problem?

In that case, use one address for the external interface and in your static statement use a different address again. On the global, you can use the same address that is on your external interface (or if you have even more then you can use more in the global).

The thing to remember however if you use multiple address in the global statement is that the first machine that comes along, will use the first IP Address and will have sole use of that address. The next machine will come along and take the next ip address, and so on until there is one address left. Once one address is left, this is then used for PAT.

Cheers

Alright, let me try to get this straight.

You are saying I could put one public address on the external interface then I could use a different address or multiple address for the external IP address for the web server. And, that if I were to use multiple address in a pool for the web server that it is first-come-first server and the last IP address will be used along with PAT to handle any overflows?

If this is the case, what is the benefit of NATing/PATing multiple external address to one internal IP address? Why not just use the same IP address?

My current setup uses one address for the external interface and a different address for the external address of the web server.

FYI: It's working now! You are not going to believe this, but I had the wrong default gateway on the web server! I was used to the Layer 3 switches and pointed it toward the management IP address of the Layer 2 switch. Dumb mistake, but the I tried the web page from the server and it worked, then I tried the web page from another computer in the DMZ and it worked. So, I thought about the problem and, at first blamed the ASA (because I know nothing about it), but I checked the web server and that was the problem.

Thank you for your continued help and amazingly fast responses! I am learning a great deal about the ASA thank to you. I look forward to your response.

Sorry but i must have not explained it very well.

If you setup something like

[code:1]global (outside) 1 10.10.10.10-10.10.10.20
nat (inside) 1 0.0.0.0 0.0.0.0[/code:1]

Then what this is saying is, the first machine (say 192.168.0.1) on the inside network that tries accessing anything on the outside, it will come along and get a NAT translation setup between 10.10.10.10 & 192.168.0.1. This means ALL traffic from 192.168.0.1 will always get an external address 10.10.10.10. (until the xlate times out and then another machine can get it).

Now, if a second machine (say 192.168.0.2) on the inside network tries accessing anything on the outside, it will come along and get a NAT translaation setup between 10.10.10.11 and 192.168.0.2.

This goes on until 10-19 are used up by hosts on the inside network accessing the outside network. The next host comes along and there is only the 1 address free so it then starts to use PAT, so each and every new host that comes along will start to use 10.10.10.20.

Now, there is no way to control this mechanism and specifically set which machine gets which NAT and it always gets it......or is there ? Yup, this is the Static. Static sets up the translation between an inside address and an outside address. This is fixed and whenever that host (say your webserver) access the outside network, it always gets translated to the address in the static. Thats why this is required to allow incoming traffic because its statically specified.

So, the static command, doesn't include addresses thats configured in the global, so if we setup a static;

[code:1]static (inside, outside) 10.10.10.7 192.168.0.200 netmask 255.255.255.255[/code:1]

then this will now use 10.10.10.7 always for incoming AND outgoing traffic. (we have not tied this down to ports, its a proper NAT translation)

Now, suppose you have different servers running different services;

e.g.

192.168.0.200 = HTTP/HTTPS/FTP
192.168.0.201 = DNS
192.168.0.202 = SMTP

If you have a full address block assigned to you on the Internet, you could allow these services from the internet by doing something like;

[code:1]static (inside, outside) 10.10.10.7 192.168.0.200 netmask 255.255.255.255
static (inside, outside) 10.10.10.8 192.168.0.201 netmask 255.255.255.255
static (inside, outside) 10.10.10.9 192.168.0.202 netmask 255.255.255.255[/code:1]

What would you do if you only have the one valid IP Address of say 10.10.10.200 ?
Yup, this is where the static command using ports comes in;

[code:1]static (inside, outside) tcp interface http 192.168.0.200 http netmask 255.255.255.255
static (inside, outside) tcp interface https 192.168.0.200 https netmask 255.255.255.255
static (inside, outside) tcp interface ftp 192.168.0.200 ftp netmask 255.255.255.255
static (inside, outside) tcp interface ftp-data 192.168.0.200 ftp-data netmask 255.255.255.255
static (inside, outside) udp interface dns 192.168.0.201 dns netmask 255.255.255.255
static (inside, outside) tcp interface smtp 192.168.0.202 smtp netmask 255.255.255.255[/code:1]

So, sometimes you may want to physically set which address maps to which internal address, especially for incoming services.

Hope its a little clearer ? Anyhow, gonna go to bed now, my Ubuntu install just failed so gonna call it a night and try again tomorrow, i hate computers, lol

It's becoming more clear; however, regarding this configuration: [code:1]global (outside) 1 10.10.10.10-10.10.10.20
nat (inside) 1 0.0.0.0 0.0.0.0[/code:1]

What is the benefit of sending packets out on different IPs? If I only have 5 IPs, why configure it to use the first 3 and then the last one will use overflow with PAT? Why use multiple IPs? What is the benefit? or did you already explain this to me?

Also, how should I handle the Inside to DMZ communication? From my understanding, I can't use the external NATed IP address from the internal network, is this correct? If so, do I simply configure a rule to allow internal traffic to reach the web server on the DMZ or do I configure an additional NAT that is inside to DMZ?

External: 198.111.x.x
DMZ: 172.16.x.x
Internal: 10.3.x.x

Do I setup a rule allowing traffic from the 10.3.x.x to the 172.x.x or should I NAT this communication as well to hide internal IPs?

Thanks!