ACL and NAT help

[arell12]

I needs some help with NAT and ACl's, I have a few that I am trying to get to work but none of them are working. We have 5 IP addresses that I am trying to assign to the outside interface 204.x.x.50 - .54. Then I am trying to send traffic coming in on certian ips and ports to different IP addresses. I have attached my config below

names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 204.x.x.50 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 50
ip address 10.x.x.253 255.255.252.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.x.x.35 255.255.252.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name vand1.oppy.com
access-list Outside_access_in extended permit tcp any host 10.x.x.4 eq https
access-list Outside_access_in extended permit tcp any host 10.x.x.4 eq www
access-list Outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 host 10.x.x.2 eq smtp
access-list Outside_access_in extended permit tcp any host 10.x.x.2 eq 4080
access-list Outside_access_in extended permit tcp any host 10.x.x.7 eq www
access-list Outside_access_in extended permit tcp any host 10.x.x.7 eq https
access-list Outside_access_in extended permit tcp any host 10.x.x.5 eq www
access-list Outside_access_in extended permit tcp any host 10.x.x.5 eq https
access-list Outside_access_in extended permit tcp any host 10.x.x.6 eq https
access-list Outside_access_in extended permit tcp any host 10.x.x.2 eq ssh
access-list Outside_access_in extended permit tcp any host 204.x.x.50 eq ssh
access-list DMZ_access_in extended permit ip host 10.x.x.3 any
access-list DMZ_access_in extended permit ip host 10.x.x.2 any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
nat-control
nat (management) 0 0.0.0.0 0.0.0.0
static (inside,Outside) 204.x.x.51 10.x.x.4 netmask 255.255.255.255
static (inside,Outside) 204.x.x.52 10.x.x.6 netmask 255.255.255.255
static (inside,Outside) 204.x.x.53 10.x.x.2 netmask 255.255.255.255
static (inside,Outside) 204.x.x.54 10.x.x.5 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface inside
route Outside 0.0.0.0 0.0.0.0 204.x.x.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.x.x.0 255.255.252.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.x.x.0 255.255.0.0 management
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.x.x.4 source management prefer
!
class-map inspection_default
match default-inspection-traffic
class-map pptp-port
match port tcp eq pptp
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map pptp_policy
class pptp-port
inspect pptp
!
service-policy global_policy global
service-policy pptp_policy interface Outside
prompt hostname context
Cryptochecksum:6b43ee4a52285e254de7bd6458fa4c25
: end
asdm image disk0:/asdm-615.bin
asdm location 204.x.x.51 255.255.255.255 Outside
asdm location 204.x.x.52 255.255.255.255 Outside
asdm location 204.x.x.53 255.255.255.255 Outside
asdm location 204.x.x.54 255.255.255.255 Outside
asdm location 204.x.x.201 255.255.255.255 Outside
asdm location 204.x.x.200 255.255.255.248 Outside
asdm location 64.18.0.0 255.255.240.0 management
asdm location 204.x.x.50 255.255.255.255 management
no asdm history enable

 

[unclerico]

Your host addresses on your outside_access_in ACL should be the public addresses, not the private addresses.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[rainbow007]

there is a configuration problem here

example:
say the public Ip addresses are: 80.32.244.228 to 236
Private ip: 192.168.1.1 to 192.168.1.5

if you want the inbound trafic coming to a webserver 192.168.1.1 then you basically assign one public IP for the outside internet users to get to the inside webserver 192.168.1.1.

the way to do:
step-1:setup a staic NAT mapping
step-2:configure Access-list
Step-3:appply ACL on the interface

step-1:
======
conf t
static (inside,outside) 80.32.244.228 192.168.1.1

Step-2
======
access-list outside_in permit tcp any host 80.32.244.228 eq http

step-3
=====
access-group outside_in in interface outside

this will the job.you will basically follow these 3 steps for any inbound rules

regards
rainbow007

 

[arell12]

Thanks both of you for your help. I understand what I was doing wrong now and have corrected that part of my issue. I have a couple more questions, hopefully you can help. My ASA is our Front firewall (connected to internet directly) and the inside interface connects to our ISA server which connects to the LAN.

Internet -- ASA -- ISA Server -- LAN

ALl outbound traffic goes through our ISA server then out through our ASA server. What rules do I need, to allow all traffic from ISA server out to the internet. ISA server has addresses 10.x.x.2 - .7. Is there any NAT'ing that is required for this or can everything just be permitted outbound?

 

[unclerico]

Yes. You'll need to include the following:

ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
ASA(config)# global (outside) 1 interface

The sequence of commands above will NAT all traffic coming from the inside interface to the public IP address assigned to the outside interface.

Traffic is implicitly permitted when travelling from a higher security interface to a lower security interface (i.e. from inside to outside) so you will not need to do anything special.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[arell12]

Thanks for that. Much appreciated. I have another question for you. I am trying to forward PPTP connections to our ISA server (it is our VPN server) I read on the Cisco site that I had to do this:

access-list Outside_access_in extended permit gre any host 204.x.x.50
access-list Outside_access_in extended permit tcp any host 204.x.x.50 eq pptp
static (inside,Outside) tcp interface pptp 10.x.x.2 pptp netmask 255.255.255.255
access-group Outside_access_in in interface Outside

The line: static (inside,Outside) tcp interface pptp 10.x.x.2 pptp netmask 255.255.255.255
I had to specify the pptp port because I have other ports from 204.x.x.50 going to different 10.x.x.# IP's. My question is do I need to do anything with the GRE protocol because I was unable to PAT the with the GRE option. Will this even work using PAT?

To make things even more fun I also need to get IPsec into a different 10.x.x.# ip address that also goes to our external IP of 204.x.x.50