Configuring NAT for a Public Server Using Same Outside Interface

June 13, 2013 by Leave a Comment

In this scenario, you have a site with an ASA 5505 and one public IP address. You have just a few users and a web server you want the public to access from the Internet. Translation – this is port forwarding. The requirements:

  • Allow Inside users to access the Internet.
  • Allow Inside Web server to serve http services to the Internet.
  • Allow Outside users to visit your Web server.
You get into the command line of the ASA and you create objects for your Inside network and your Web server:
LAB-ASA5505-01# conf t
LAB-ASA5505-01(config)# object network INSIDE-SUBNET
LAB-ASA5505-01(config-network-object)# subnet 172.20.10.0 255.255.255.0
LAB-ASA5505-01(config-network-object)#
LAB-ASA5505-01(config-network-object)# exit
LAB-ASA5505-01(config)# object network WWW-SERVER
LAB-ASA5505-01(config-network-object)# host 172.20.10.100
LAB-ASA5505-01(config-network-object)#
LAB-ASA5505-01(config-network-object)# exit
Then you configure NAT so your Inside users can browse the web:
LAB-ASA5505-01(config)# object network INSIDE-SUBNET
LAB-ASA5505-01(config-network-object)# nat (inside,outside) dynamic interface
Everything is looking good. Everyone is happy. Now it’s time to show the world your website by creating a static NAT entry for your web server to your one and only public IP address. For this to work you have to configure static NAT with port forwarding:
LAB-ASA5505-01(config)# object network WWW-SERVER
LAB-ASA5505-01(config-network-object)# nat (inside,outside) static interface service tcp 80 80
Configure an access list to allow Outside traffic to visit port 80 (http) to your Outside interface:
LAB-ASA5505-01(config)# access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80
LAB-ASA5505-01(config)# access-group Outside_access_in in interface Outside
Verify your NAT configuration and test:
LAB-ASA5505-01# show nat
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source static WWW-SERVER interface service tcp www www
 translate_hits = 0, untranslate_hits = 2
2 (Inside) to (Outside) source dynamic INSIDE-SUBNET interface
 translate_hits = 6, untranslate_hits = 0
You can also see the hit count at the access list:
LAB-ASA5505-01# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
 alert-interval 300
access-list Outside_access_in; 2 elements; name hash: 0xe796c137
access-list Outside_access_in line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x24ee277f
access-list Outside_access_in line 2 extended permit tcp any object WWW-SERVER eq www (hitcnt=4) 0xb7fcf341
 access-list Outside_access_in line 2 extended permit tcp any host 172.20.10.100 eq www (hitcnt=4) 0xb7fcf341

How do you configure this in ASDM?

Create your object in ASDM and click on the NAT dropdown. Enable Add Automatic Address Translation Rules and select Static as the type. Your translated address will be the Outside interface. Then click on Advanced at the bottom.
ASDM NAT Port Forwarding
Select the source interface and the destination interface.

Continue Reading

Filed Under: Network Engineering Tagged With: , ,

Fixing HTTPS Issues on the ASA

June 10, 2013 by Leave a Comment

I was working on a Cisco ASA this week and came across an issue where I was unable to access the secure web server. The ASA was configured to have HTTP server enabled and I also allowed the interesting traffic to reach it via HTTPS.

Displaying the version resulted in the following licensing table:

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Disabled       perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : 250            perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

Notice that I am not licensed for VPN-3DES-AES. This is a problem for me now and when I try to configure VPN. I was pretty damn sure that the Security Plus license came with encryption. I shouted out to the Twitter community hoping someone has came across the same issue.

I quickly got a response from @layer_3 who came up with the solution on Cisco’s support forums.

You’ll need your ASA serial and request a special VPN-3DES-AES license activation code. Add the activation code into the asa

ciscoasa# config t
ciscoasa(config)# activation-key xxxx xxxx xxxx xxxxx

Once the new key is activated, type show version.

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual

Now we have VPN-3DES-AES enabled. But I found that I still couldn’t access the ASA via HTTPS.

The resolution is to enable it with this command:

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

If you notice that some of my features were disabled, it’s because I incorrectly typed in my activation key.

Continue Reading

Filed Under: Cisco Tagged With: , , , ,
«Older Posts