Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Help! ASA5505 Simple port forward

Help! ASA5505 Simple port forward 8 years 1 month ago #27255

  • ajass
  • ajass's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
I have read dozens of posts on how to configure NAT and ACL and after trying just about everything I still can't get this.
Simple setup, simple need.
I have 1 static IP from ISP, 1 web server, 5 workstations. Workstations are on same VLAN as server.
All I need is for any internet computer to be able to surf my web server using my outside static IP. How hard can this be!? Please help!
Here's what I can do:

1. Surf the internet
2. Surf the web server from inside (10.10.10.5)

Config:

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.45.28 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list INBOUND extended permit tcp any host xx.xx.45.28 eq www
access-list outside_access_in extended permit tcp any host xx.xx.45.28 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 10.10.10.5 xx.xx.45.28 netmask 255.255.255.255
static (inside,outside) xx.xx.45.28 10.10.10.5 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 xx.xx.45.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.85.98 68.87.69.146
dhcpd auto_config outside
!
dhcpd address 10.10.10.2-10.10.10.129 inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c6fd6d43e2230d40103df56b3d4bc161
: end

P.s. When I enter ACL's via command line, they don't show up in the ASDM GUI? Am I missing something here?
I really need this device up and running, any help is greatly appreciated! Thanks!
The administrator has disabled public write access.

Re: Help! ASA5505 Simple port forward 8 years 4 weeks ago #27260

  • Patiot
  • Patiot's Avatar
  • Offline
  • Frequent Member
  • Posts: 45
  • Karma: 0
Hello ,

First I have a a suggestion ,I see you have configured two static nats for the same translation ,is that right , if so you can remove the static(outside, inside)10.10.10.5 ...... translation . Static is two way translation .

Secondly you have configured access list to allow access for anyone on the internet to access your public ip in WWW port but you have not binded that accesslist to the interface , which means that there is no access list . Without an access list no body on the internet will be able to come in by default .

So configure an access-group statement .

access-group and bind the access list to the interface .

Thirdly if you want the hosts on the internet to access only the www port on the public ip then you can always configure a Static Pat .

static (inside,outside) tcp outside_ip www inside_ ip www 255.255.255.255
with appropriate access-lists .
The administrator has disabled public write access.

Re: Help! ASA5505 Simple port forward 8 years 4 weeks ago #27262

  • ajass
  • ajass's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
Thanks for your help Patiot. That makes sense but I'm not sure how to configure access-group statement.

I think I have the NAT set correctly.

I can currently browse the internet and I can browse my web server internally.
I tried the command: "access-group outside_access_in in interface outside" like you suggested but maybe the syntax is wrong? Doesn't this give requests coming from the outside interface a place to go on the inside interface?
Thanks for all your help, this is really frustrating.
Web server is at 192.168.1.101
here's the new config:

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.45.28 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) tcp 192.168.1.101 www XX.XX.45.28 www netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 XX.XX.45.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.85.98 68.87.69.146
dhcpd auto_config outside
!
dhcpd address 192.168.1.7-192.168.1.97 inside
dhcpd dns 68.87.85.98 interface inside
dhcpd wins 68.87.69.146 interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0d008513736032c9e6bb6a8b8bc34975
: end
The administrator has disabled public write access.

Re: Help! ASA5505 Simple port forward 8 years 4 weeks ago #27266

  • Patiot
  • Patiot's Avatar
  • Offline
  • Frequent Member
  • Posts: 45
  • Karma: 0
Here is the syntax that I took from the Cisco website .

Access Group configuration :

access-group acl_out in interface outside

And here is your access list :

access-list outside_access_in extended permit tcp any host xx.xx.45.28 eq www

So your configuration will look like this exactly :

access-group outside_access_in in interface outside .

Here is one more suggestion about the static

In you new configuration I saw a static statement as below :
static (outside,inside) tcp 192.168.1.101 www XX.XX.45.28 www netmask 255.255.255.255

IT SHOULD BE :
static (inside,outside) tcp XX.XX.45.28 www 192.168.1.101 www netmask 255.255.255.255

Because static is generally configured in the following way

Static (trusted_int,Untrusted_int) untrusted_ip trusted_ip netmask .

I don't say that the way you have configured is wrong but it will be favoring hosts that are initiating connections from the internet .
The administrator has disabled public write access.

Got it! thanks guys! 8 years 4 weeks ago #27267

  • ajass
  • ajass's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
I got it working ! Thanks! You guys rock!
For anybody else reading this...

The following is almost the default config except for the:

Outside to Inside Nat translation
Access list
Access group
Web server on 192.168.1.100

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xxx.40.62 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list INBOUND extended permit tcp any host xx.xxx.40.62 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 200 interface
nat (inside) 200 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255 <<--- Can also be done with ADSM
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.40.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd dns 205.171.3.65 205.171.2.65 interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:af66834cfaa704797482aeaad8d2c70c
: end

Thanks for your suggestions. Now its on to the VPN!
The administrator has disabled public write access.
Time to create page: 0.098 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup