Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: TWO ASA5505 and single Interna;Website

TWO ASA5505 and single Interna;Website 7 years 10 months ago #28710

Hi
I have a query.
I have two ASA5505 both on different ISP.[url]
ExternalIP 1-ASA5505=20.20.20.2
InternalIP 1-ASA5505=10.10.10.1
ExternalIP 2-ASA5505=30.30.30.2
InternalIP 2-ASA5505=10.10.10.2

THEN a normal --28 Port switch

Then My Webserver 10.10.10.50

I have to run my single internal site from both the external IP of ASA Simulteneouly.

[/url]
The administrator has disabled public write access.

Re: TWO ASA5505 and single Interna;Website 7 years 10 months ago #28712

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
Place the webserver in a DMZ and make static NAT translations.


static (dmz,outside) tcp externalipaddres www internalipaddress www

you make this rule for every port you want to forward to you webserver.
Also you need to make an access-list on your outside interface to actually allow the traffic from the internet to the server

access-list outside_in permit tcp any externaladdress eq www

again you make this rule for every port/ip you want to forward.

Then you need to bind the access-list to your interface

access-group outside_in in interface outside




Hope this helps,
Ron
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.

Re: TWO ASA5505 and single Interna;Website 7 years 10 months ago #28718

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Place the webserver in a DMZ and make static NAT translations.


static (dmz,outside) tcp externalipaddres www internalipaddress www

you make this rule for every port you want to forward to you webserver.
Also you need to make an access-list on your outside interface to actually allow the traffic from the internet to the server

access-list outside_in permit tcp any externaladdress eq www

again you make this rule for every port/ip you want to forward.

Then you need to bind the access-list to your interface

access-group outside_in in interface outside




Hope this helps,
Ron

Hi Ron,

I'm not convinced this will work. The interesting thing with using two appliances is getting the return traffic back to the correct appliance. I have never tried to get it to work as i no longer do much with with Cisco. The issue here is as follows;

1. The webserver in the DMZ will have its default gateway set to one of the appliances only (for this example, appliance 1)
2. Traffic will come into either appliance from the internet (presumably using DNS Round Robin it will hit appliance 1, then appliance 2, then appliance 1, etc..)
3. If it comes into appliance 1, then the appliance will forward to the webserver using the Static NAT, the packet that hits the webserver still has the PublicIP Address of the sending machine, when the Webserver is sending traffic back, it uses normal routing to hit the appliance 1 (because of the default gateway).
4. If it comes into appliance 2, then the appliance will forward to the webserver using the Static NAT, the packet that hits the webserver still has the PublicIP Address of the sending machine, when the Webserver is sending traffic back, it uses normal routing to hit the applaince 1 (because of the default gateway).

The problem comes into play at point 4. This is because you will see that return traffic gets sent back to Appliance 1 due to the Default Gateway configured on the Webserver. Appliance 1 will not have the NAT translation setup in the XLAT and will therefore drop the traffic.

Anyone know how to get around this ? The only thing i could think would be to NAT the incoming traffic for the SourceAddress also (so it would have to NAT source and destination addresses). The issue with doing this is that the Webserver will see all traffic originating from the Pix Internal Interface.

I now work with WatchGuard Firewalls which have the functionallity of setting up multiple external links to the same firewall, this therefore gets around the issue above and allows for outbound traffic to be balanced across multiple links without the added complexity of routing protocols, etc...
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: TWO ASA5505 and single Interna;Website 7 years 10 months ago #28722

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
It will work. You just need a security plus license with dual isp enabled. You dont need 2 ASA's for 2 ISP's.



*edit* im stupid...I entirely read over the fact that he does have 2 ASA's... doh >.<
Im gonna toy around a bit with this setup. I got it to work before but i forgot how...stay tuned :p
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.

Re: TWO ASA5505 and single Interna;Website 7 years 10 months ago #28735

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
It will work. You just need a security plus license with dual isp enabled. You dont need 2 ASA's for 2 ISP's.

Blimey, didn't realise they had enabled dual isp support. Shows how out of touch with the Pix/ASA i am these days, lol
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: TWO ASA5505 and single Interna;Website 7 years 10 months ago #28737

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
The problem comes into play at point 4. This is because you will see that return traffic gets sent back to Appliance 1 due to the Default Gateway configured on the Webserver. Appliance 1 will not have the NAT translation setup in the XLAT and will therefore drop the traffic.

Very well explained Smurf :). The reply traffic will definitely go to only appliance 1 as you said.

So I'm thinking this, assuming the Webserver is windows based. Windows has an option were you can define more than one IP on a single NIC write ? (Advanced button, remember). I'm wondering will this work:

Webserver:
IP1: 10.10.10.50
IP2: 10.10.10.51

Appliance 1:
[code:1]static (inside,outside) 20.20.20.2 10.10.10.50 netmask 255.255.255.255
static (inside,outside) 30.30.30.2 10.10.10.51 netmask 255.255.255.255[/code:1]

Appliance 2:
[code:1]static (inside,outside) 30.30.30.2 10.10.10.51 netmask 255.255.255.255[/code:1]

What I'm saying is, the first static statement for App1 will simply map 20.20.20.2 to 10.10.10.50. The single static statement for App2 maps 30.30.30.2 to 10.10.10.51. Both incoming traffic goes to the same server, thats simple ha?. Now the second static statement for App1 will fool App1 into translating the source address of the nasty reply traffic to have the IP 30.30.30.2 (App2's address).

Thats upto my understanding that static maps work both ways, wither the traffic was initiated outside or inside.

Surely I'm mapping all ip traffic hear which works for all tcp ports (not just port 80), but I'm doing this just for simplicity.

Could it work? or am I out of scope?
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.
Time to create page: 0.088 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup