clear up my thinking on correct use of ASA outside interface IP

[Mackintire]

So , I 'm trying to figure out why the previous admin did this.

ASA version 8.2 (5)

In the config I am looking at....

interface GigabitEthernet0/0
speed 1000
duplex full
description Outside Interface - Connect to WAN
nameif outside
security-level 0
ip address 209.xxx.xxx.001 255.255.255.0


But he's created static routes to the internal network using external IP addresses starting at .002 and continuing to .006

Is the some reason you can't or don't want to use map the same IP that is defined to the outside interface to a server in the DMZ? Or is this just a case where he has IP addresses to burn?

 

[Sage2k]

Looks like you got 254 ip addresses to burn, so why not

Especially if you have 3 or 4 different web servers that use the same port HTTP port (80)

 

[Mackintire]

Nope there's 8 public IP addresses.


And the admin mapped 209.xxx.xxx.001 to the outside interface and


static (DMZ,PUBLIC) 209.xxx.xxx.002 192.168.1.2 netmask 255.255.255.255
static (DMZ,PUBLIC) 209.xxx.xxx.003 192.168.1.3 netmask 255.255.255.255
static (DMZ,PUBLIC) 209.xxx.xxx.004 192.168.1.4 netmask 255.255.255.255
static (DMZ,PUBLIC) 209.xxx.xxx.005 192.168.1.5 netmask 255.255.255.255



So can I just add this, or am I breaking some sort of est practice or security rule?

static (DMZ,PUBLIC) 209.xxx.xxx.001 192.168.1.6 netmask 255.255.255.255

 

[Mackintire]

I have a pile of ASAs and I'm running out of public IPs, so a wasted IP in this case is not a good thing.

 

[Sage2k]

Oh ok, well you have the subnet mask set as 255.255.255.0 which is an ip space that contains 254 host ip addresses...

I dont think you could add that line (maybe im wrong) but you want to look into NAT/PAT to be able to forward requests from a public address to an internal private address.

 

[Mackintire]

The internal network that is 192.168.1.0 has 255 addresses.

The external network does not.

 

[/usr/home]

Is proxy arp being used?

 

[Mackintire]

nope.


I 'm just wondering if its an ok practice to use the outside interface's IP as something to port forward to. (like most routers).

I 'm still learning the intricacies of the ASA's specifically version 8.2

 

[/usr/home]

I do something similar at home. Main static IP does NAT overload for my internal network (PAT to VPN server off this IP). Second static is PATted to various servers in the DMZ. DMZ also uses second static for its NAT overload.

If I had more statics I'd just 1:1 or proxy arp to each internal server but alas I don't.

 

[bman212121]

Nope there's 8 public IP addresses.


And the admin mapped 209.xxx.xxx.001 to the outside interface and


static (DMZ,PUBLIC) 209.xxx.xxx.002 192.168.1.2 netmask 255.255.255.255
static (DMZ,PUBLIC) 209.xxx.xxx.003 192.168.1.3 netmask 255.255.255.255
static (DMZ,PUBLIC) 209.xxx.xxx.004 192.168.1.4 netmask 255.255.255.255
static (DMZ,PUBLIC) 209.xxx.xxx.005 192.168.1.5 netmask 255.255.255.255



So can I just add this, or am I breaking some sort of est practice or security rule?

static (DMZ,PUBLIC) 209.xxx.xxx.001 192.168.1.6 netmask 255.255.255.255

You could do that and it will create a 1:1 port mapping of ALL ports for 209.x.x.1 to 192.168.1.6. It shouldn't break anything but it could have some undesired affects if a port was being used on the ASA like 22 or 80. When you make a rule to allow traffic for port 22 or 80 it might not go to 192.168.1.6 like you intended but it might point to your ASA's SSH or WWW server.

The better and more secure way to get around this issue is you should only forward the ports you need, not all 65K of them. So instead of:

static (DMZ,PUBLIC) 209.xxx.xxx.001 192.168.1.6 netmask 255.255.255.255

do:

static (DMZ,PUBLIC) tcp 209.xxx.xxx.001 www 192.168.1.6 www netmask 255.255.255.255

This will only map TCP based connections on external port 80 to internal port 80 on 192.168.1.6.

Although I'm thinking if you have http enabled on the ASA that it will still take over port 80 on all interfaces so 209.x.x.1 won't have 80 available. If http isn't enabled that shouldn't be an issue. http could be moved to a different port on the ASA if needed.

 

[Mackintire]

Thanks.

I believe I am already doing that elsewhere via ACL like this:

access-list public-dmz extended permit tcp any host 209.***.***.001 eq www

 

[/usr/home]

Thanks.

I believe I am already doing that elsewhere via ACL like this:

access-list public-dmz extended permit tcp any host 209.***.***.001 eq www

ACL and NAT are two different things on the ASA. I believe it checks the ACL first then the NAT rules are applied. It's been awhile since I worked on an ASA.

 

[Matthew Kane]

ACL and NAT are two different things on the ASA. I believe it checks the ACL first then the NAT rules are applied. It's been awhile since I worked on an ASA.

I haven't worked with ASA but mainly Cisco warez but you're right that ACL's are first priority to having a rule matched, if rule matches (i.e deny/allow a subnet or translate a specific subnet through NAT) then a subnet belonging to the matched source or destination through NAT it get's translated if the rule is allowed. This is the standard that Cisco has set.

Usually you'd only have a static route configured from the WAN/ISP end to the demarcation point of the companies premises, internal routes and subnet address translation can be through NAT with PAT when packets go out of the companies network or into the companies network.

Not sure I'm on topic with what the OP is talking about.

 

[Mackintire]

There is no NAT involved at all.

I have it 95% working but the last 5% isn't so we're bringing in a contractor Monday to assist. We'll probably upgrade the software past 8.4 and re-write the entire thing.

The primary problem is that we are doing things that the cisco documentation does not give examples of. They tell you how to do it, but not so many examples. And in this case I don't have the time at the moment to pour through the couple hundred pages of ASA A-Z.

I think part of the problem is we are using software version 8.25 which makes inside to DMZ communication painful unless you do use NAT. 8.3 fixes that goofness and introduces the object orientated model. Needless to say the contractor will probably have this straightened out in less than 10 minutes....or he'll get pissed off at 8.25 and we'll load something newer and then it'll be done 10 minutes later.

I've been spending my time up to my eyeballs in VMware stuff and this mess was dropped in on me last minute. Sad thing is that If I flushed the entire config and just used NAT I think this would have been done 4 days ago. I'll consider this my intro to Cisco ASA Training.

 

[D-EJ915]

So nobody gets confused with terminology like our friend here.

This is a static 1:1 NAT entry: static (DMZ,PUBLIC) 209.xxx.xxx.002 192.168.1.2 netmask 255.255.255.255

This is a firewall ACL entry: access-list public-dmz extended permit tcp any host 209.***.***.001 eq www

This is a "port forward" NAT entry: static (i****,o****) tcp 1.1.1.1 www 10.10.10.10 www netmask 255.255.255.255



And as far as the OP's question the ASA won't let you do a 1:1 NAT on an interface address. You can, however, do a "port forward" entry on interface addresses. You just have to remember if you want to use 443 you need to change the ASDM server port.

 

[Mackintire]

We ended up calling in a CCNP consultant to get us up and running.

The sad part was that my solution almost worked. My issue was the subnetmask(s) in the ACLs were not correct for intercommunication between security interfaces.

We're fixed now.

Thanks,

Mackintire