Joined: Aug 10, 2006 Posts: 1387 Location: GT Manchester, UK
Posted: Thu Apr 26, 2007 9:58 pm Post subject:
Quote:
I believe I understand what you are saying. With my current configuration, I am using the external IP address solely for the web server, when I could be using it, at the PAT level, just for port 80. Is that correct?
Yes thats correct
Quote:
Also, this is not my only external IP address. We have a range of IP addresses, and the internal clients are not using the external IP address of the web server. Would this eliminate the problem?
In that case, use one address for the external interface and in your static statement use a different address again. On the global, you can use the same address that is on your external interface (or if you have even more then you can use more in the global).
The thing to remember however if you use multiple address in the global statement is that the first machine that comes along, will use the first IP Address and will have sole use of that address. The next machine will come along and take the next ip address, and so on until there is one address left. Once one address is left, this is then used for PAT.
Cheers _________________ Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
You are saying I could put one public address on the external interface then I could use a different address or multiple address for the external IP address for the web server. And, that if I were to use multiple address in a pool for the web server that it is first-come-first server and the last IP address will be used along with PAT to handle any overflows?
If this is the case, what is the benefit of NATing/PATing multiple external address to one internal IP address? Why not just use the same IP address?
My current setup uses one address for the external interface and a different address for the external address of the web server.
FYI: It's working now! You are not going to believe this, but I had the wrong default gateway on the web server! I was used to the Layer 3 switches and pointed it toward the management IP address of the Layer 2 switch. Dumb mistake, but the I tried the web page from the server and it worked, then I tried the web page from another computer in the DMZ and it worked. So, I thought about the problem and, at first blamed the ASA (because I know nothing about it), but I checked the web server and that was the problem.
Thank you for your continued help and amazingly fast responses! I am learning a great deal about the ASA thank to you. I look forward to your response.
Joined: Aug 10, 2006 Posts: 1387 Location: GT Manchester, UK
Posted: Thu Apr 26, 2007 11:26 pm Post subject:
Sorry but i must have not explained it very well.
If you setup something like
Code:
global (outside) 1 10.10.10.10-10.10.10.20
nat (inside) 1 0.0.0.0 0.0.0.0
Then what this is saying is, the first machine (say 192.168.0.1) on the inside network that tries accessing anything on the outside, it will come along and get a NAT translation setup between 10.10.10.10 & 192.168.0.1. This means ALL traffic from 192.168.0.1 will always get an external address 10.10.10.10. (until the xlate times out and then another machine can get it).
Now, if a second machine (say 192.168.0.2) on the inside network tries accessing anything on the outside, it will come along and get a NAT translaation setup between 10.10.10.11 and 192.168.0.2.
This goes on until 10-19 are used up by hosts on the inside network accessing the outside network. The next host comes along and there is only the 1 address free so it then starts to use PAT, so each and every new host that comes along will start to use 10.10.10.20.
Now, there is no way to control this mechanism and specifically set which machine gets which NAT and it always gets it......or is there ? Yup, this is the Static. Static sets up the translation between an inside address and an outside address. This is fixed and whenever that host (say your webserver) access the outside network, it always gets translated to the address in the static. Thats why this is required to allow incoming traffic because its statically specified.
So, the static command, doesn't include addresses thats configured in the global, so if we setup a static;
So, sometimes you may want to physically set which address maps to which internal address, especially for incoming services.
Hope its a little clearer ? Anyhow, gonna go to bed now, my Ubuntu install just failed so gonna call it a night and try again tomorrow, i hate computers, lol _________________ Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
It's becoming more clear; however, regarding this configuration:
Code:
global (outside) 1 10.10.10.10-10.10.10.20
nat (inside) 1 0.0.0.0 0.0.0.0
What is the benefit of sending packets out on different IPs? If I only have 5 IPs, why configure it to use the first 3 and then the last one will use overflow with PAT? Why use multiple IPs? What is the benefit? or did you already explain this to me?
Also, how should I handle the Inside to DMZ communication? From my understanding, I can't use the external NATed IP address from the internal network, is this correct? If so, do I simply configure a rule to allow internal traffic to reach the web server on the DMZ or do I configure an additional NAT that is inside to DMZ?
All times are GMT + 2 Hours Goto page Previous1, 2, 3
Page 3 of 3
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Copyright of all documents and images belonging to this site by Firewall.cx. Information contained on this site is copyrighted material. It is illegal to copy or redistribute this information in any way without the written consent of Firewall.cx
Firewall.cx disclaims any responsibility for software and information obtained through this site or its links.
