Mapping external to internal IP 1

[ndinc]

I have vnc port 5900 working, but I do not want it open to the rest of the world. Can someone help me with the correct IOS commands to map an internal ip to an external.

Example

10.1.1.3 3389 to 207.x.x.59
10.1.1.4 5900 to 207.x.x.60
10.1.1.12 5367 to 207.x.x.61

Also I would like to only allow only certain static IP to access those outside Ip's. Kind of like I did with SSH.

And if you see anything wrong in my confic, please feel free to point out. I have major firewall experience, but ASA and PIX always makes me have to rethink everything.


ciscoasa# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password encrypted
passwd encrypted
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 207.x.x.58 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list outside_access_in extended permit tcp any interface outside eq 5900
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5900 10.1.1.10 5900 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.x.x.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 207.x.x.16 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
client-update enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 207.x.x.16 255.255.255.255 outside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd dns 68.x.x.30 68.x.x.30
dhcpd auto_config outside
!
dhcpd dns 68.x.x.30 68.x.x.30 interface inside
!
ntp server 152.2.21.1 source outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 207.x.x.x
prompt hostname context
Cryptochecksum:9491ae391128593d8d4f993498f83d6e
: end
ciscoasa#



Thanks for your help

 

[Supergrrover]

You need to create statics -

static (inside,outside) tcp 207.x.x.59 3389 10.1.1.3 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.x.x.60 5900 10.1.1.4 5900 netmask 255.255.255.255
static (inside,outside) tcp 207.x.x.61 5367 10.1.1.12 5367 netmask 255.255.255.255

Then allow that traffic in your outside interface ACL
access-list outside_access_in extended permit tcp any host 207.x.x.59 outside eq 3389
access-list outside_access_in extended permit tcp any host 207.x.x.60 outside eq 5900
access-list outside_access_in extended permit tcp any host 207.x.x.61 outside eq 5367

To limit access - change the "any" key word to "host IP_ADDRESS"

Hope this helps.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ndinc]

Perfect.

Now how to I make it so only certain external IP cann access certain ports.

Example;

68.x.x.175 at home to access 207.x.x.60 eq 5900 vnc

Only allow 68.x.x.175 vnc acces to that IP.

Great info, this will come in handy as I was force to put the ASA 5505 in production today and I have to get this started.

I will try it out!



Thanks for your help

 

[Supergrrover]

Change this line
access-list outside_access_in extended permit tcp any host 207.x.x.60 outside eq 5900

to
access-list outside_access_in extended permit tcp host 68.x.x.175 host 207.x.x.60 outside eq 5900

use similar syntax for the other services.
Glad it helped



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ndinc]

It worked like charm!!

Perfection...

One more question..

I cant get port 1730 / PPT to work, the RAS server is telling me the firewall isnt allowing GRE.

Any ideas? or the proper IOS syntax for it?

RAS server is 207.x.x.67 to any host.

Thanks for your help

 

[Supergrrover]

try adding these lines

access-list outside_access_in extended permit gre any host 207.x.x.67
access-list outside_access_in extended permit tcp any host 207.x.x.67 eq 1730

static (inside,outside) 207.x.x.67 [server_ip] netmask 255.255.255.255

BTW for the ACL's in the last post you should remove the "outside" it accidentally got left in the copy and paste.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ndinc]

I figure out the "outside" problem after I cut and pasted and compared it with other configs. As it would not allow it.

The port I listed is an error 1730 should be 1723? I assume the statements would be the same. I will try it out.

I cant tell you how much you have helped me. We are replacing Sonicwall(s) (so tired of them corrupting) and the Cisco ASA was a big change. I am fairly IOS savy, but PIX has always been a pain for me.

I will now replace all Sonicwall with these ASA's as you filled the tech gap for me.

Thank you

Thanks for your help