5510 ASA multiple outside IP addresses

[bull3000]

I'm presently using a 5510 in routed mode and I'm using a 5510. I want to have the outside firewall respond to multiple addresses (so I can host two web servers at port 80). Since I'm using a 5510, I don't have the ability to use security contexts. Can I create a subinterface on the front end that will allow a second ip address? Or, can the interface be configured to respond to multiple addresses? Any ideas are appreciated.

Thanks

 

[brianinms]

How many external ip addresses do you have from your ISP?

 

[bull3000]

I have a block of 8 addresses The mask is 255.255.255.248.

I've got the interface configured to use the .1 address from the block. I want to figure out how to configure it respond to the whole block so I can pass it through to the DMZ.

 

[Supergrrover]

All you need to do is create statics with the outside IP in that block and map it to the internal address. You won't need sub-interfaces

static (inside,outside) tcp W.X.Y.Z [Port#] [Internal_server_IP] [Port#] netmask 255.255.255.255

The W.X.Y.Z can be any of the IPs in your block.

You will then need an ACL applied to the outside interface to allow the traffic through

access-list outside_in permit tcp any host W.X.Y.Z eq [Port#]
access-group outside_in in interface inside

Hope this helps.

If you need anything else, post a scrubbed config and someone here can walk you through it.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[bull3000]

I've tried the suggestion and still isn't working. The log shows the following error when an outside request is attempted. "Inbound TCP connection denied... flags SYN on interface outside". I'm at a bit of a loss about why.

As a side note, you'll see that I'm NATing the inside interface through the firewall. Is this contributing to the problem?

Last, for the development exercise, the "outside" interface is connected to an internal LAN. This will change at deployment, but explains the non-routable addresses on the outside interface.

Tx,
Sam

Scrubbed config follows...

ASA Version 7.0(6)
!
hostname ...
domain-name ...
enable password ...
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 10
ip address 192.168.5.241 255.255.255.248
!
interface Ethernet0/1
nameif dmz
security-level 25
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 50
ip address 192.168.30.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 99
ip address 192.168.250.1 255.255.255.0
management-only
!
passwd ...
ftp mode passive
dns domain-lookup dmz
dns domain-lookup inside
dns name-server 192.168.55.1
access-list inside_access_in extended permit ip any any
access-list outside_in extended permit tcp any host 192.168.5.244 eq www
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500
no failover
monitor-interface outside
monitor-interface dmz
monitor-interface inside
monitor-interface management
icmp permit any dmz
icmp permit any inside
asdm image disk0:/asdm506.bin
arp timeout 14400
nat-control
global (outside) 1 192.168.5.242
static (inside,outside) tcp 192.168.30.50 8080 192.168.5.244

http://www netmask

255.255.255.255
static (inside,outside) 192.168.5.0 192.168.30.0 netmask 255.255.255.0
access-group outside_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
snmp-server enable traps snmp authentication linkup linkdown coldstart
ssh 192.168.250.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.30.50-192.168.30.250 inside
dhcpd address 192.168.250.2-192.168.250.254 management
dhcpd dns 192.168.55.1 ...
...
!
class-map inspection_default
match default-inspection-traffic
!
!

 

[brianinms]

Your statics are wrong.

Change to

static (inside,outside) tcp 192.168.5.244 8080 192.168.30.50 8080 netmask 255.255.255.255


Delete
static (inside,outside) 192.168.5.0 192.168.30.0 netmask 255.255.255.0

Add

nat (inside) 1 0.0.0.0 0.0.0.0

 

[Supergrrover]

As Brian pointed out, you flipped the address in the static but you have it mapped to an internal address and not your DMZ. If you want it to go to the DMZ then

static (inside,outside) tcp 192.168.30.50 8080 192.168.5.244

http://www netmask

255.255.255.255
should be changed to
static (DMZ,outside) tcp 192.168.5.244 8080 192.168.20.X

http://www netmask

255.255.255.255
where X is the last octect of your server IP.

You will need to change your ACL as well.

access-list outside_in extended permit tcp any host 192.168.5.244 eq www

should be
access-list outside_in extended permit tcp any host 192.168.5.244 eq 8080

It should reflect the outside port on the way in.

I would also change
nat (inside) 1 0.0.0.0 0.0.0.0
to
nat (inside) 1 192.168.30.0 255.255.255.0
(Not necessary just a little more secure - unless you will have routed networks on the inside interface of your ASA.)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[bull3000]

Ok, I'm confused by the last post somewhat...

First, I understand the inside/dmz issue, I intend to correct that, but the machinery that I have is on the inside network. I expect that the config is the same, just on a different segment. - Correct me if I'm wrong on that point.

The part that is confusing is the port numbers.. If I want to present a web server on the outside interface (192.168.5.244) at port 80 and translate that to the inside (dmz) address at (192.168.30.50) at port 8080, it seems that the ports listed in the previous post are backwards. If they're correct, I don't understand why. I.e. Why is acl for the outside port referencing port 8080?

Sam
P.S. Thanks to all for this discussion.

 

[brianinms]

Here is the syntax for the command, I may have transpossed the ports.

static (inside,outside) tcp outside_ip outside_port inside_ip inside_port netmask network_mask

Thus

Static (inside,outside) tcp 192.168.5.244 80 192.168.30.50 8080 netmask 255.255.255.255

And the acl should reference port 80 as you mentioned

 

[Supergrrover]

OK, sorry for the mutual confusion - that lst bit cleared it up for me. You have your server on the inside interface.

For the IP/port combinations
ASA listening at 192.168.5.244 on port 80
internal server listening at 192.168.30.50 on port 8080

static (inside,outside) tcp 192.168.5.244 80 192.168.30.50 8080 netmask 255.255.255.255

access-list outside_in extended permit tcp any host 192.168.5.244 eq 80

PIX/ASA statics are a little weird - I know it says (inside,outside) but you flip them in the second part. This is just Cisco's way. It is a common mistake.

Does that make a little more sense?



Brent
Systems Engineer / Consultant
CCNP, CCSP