ASA5515 v8.6(1)2 NAT dmz public server
Could I get a validation that this config is correct in that it allows inbound access to the web server
and that I should be able to ping it from my inside interface.
I tried to use the example code from Cisco DocID: 115904 for DMZ WebServer, but I found the
object NAT parts did not work with my 8.6 IOS so I modified them as shown in my config.
Example from 115904 doc.
object network WebServerPublic
host 24.25.26.80
object network WebServerPrivate
host 192.168.1.80
nat(dmz,outside) static WebServerPublic service tcp www www ---> this does not code
With the below code I do not get a ping reply sourcing from a 10.1.0.X host to 192.168.1.80 web server.
And I cannot browse in from the outside to it either.
I do see the MAC for 192.168.1.80 in the ASA's arp cache for the dmz interface.
The web server is on a VMware ESX environment and I'm not sure it is set up correctly.
ASA Version 8.6(1)2
hostname A5515
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 24.25.26.254 255.255.255.240
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.0.252 255.255.240.0
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.1.254 255.255.255.0
object network N_OBJ_10.1.0.0_20
subnet 10.1.0.0 255.255.240.0
object network N_OBJ_10.24.0.0_18
subnet 10.24.0.0 255.255.192.0
object network DNSServer
host 10.24.0.86
object network WebServerPrivate
host 192.168.1.80
object network WebServerPublic
host 24.25.26.246
object network N_OBJ_DMZ_24
subnet 192.168.1.0 255.255.255.0
object-group network CampusNetworks
network-object 10.1.0.0 255.255.240.0
network-object 10.24.0.0 255.255.192.0
access-list outside_access_in extended permit tcp any object WebServerPrivate eq https
access-list outside_access_in extended permit tcp any object WebServerPrivate eq www
access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks echo-reply
access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks unreachable
access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks time-exceeded
access-list dmz_access_in extended permit udp any object DNSServer eq domain
access-list dmz_access_in extended deny ip any object-group CampusNetworks
access-list dmz_access_in extended permit ip any any
nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface
nat (dmz,outside) source static WebServerPrivate WebServerPublic
nat (inside,dmz) source static CampusNetworks CampusNetworks
nat (inside,outside) after-auto source dynamic CampusNetworks interface
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 24.25.26.241 1
route inside 10.24.0.0 255.255.192.0 10.1.0.254 1
Thanks
Hi,
You have some conflicting NAT configurations
For example you have this
nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface
This overrides your Static PAT configuration that you are trying to achieve
Also one note regarding one of your NAT configurations
nat (inside,dmz) source static CampusNetworks CampusNetworks
You dont need NAT between local interfaces. No nat is done by default. So the traffic between "dmz" and "inside" should go trough untranslated without any need for NAT configurations.
If you want, you could change your current configurations to the following. Note that you would have to remove your existing NAT configurations.
object-group network DEFAULT-PAT-SOURCE
network-object 10.1.0.0 255.255.240.0
network-object 10.24.0.0 255.255.192.0
network-object 192.168.1.0 255.255.255.0
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The above configuration handles the Default PAT for all your networks. Both "dmz" and "inside".
object network WEB-SERVER
host 192.168.1.80
nat (dmz,outside) static interface service tcp 80 80
access-list outside_access_in permit tcp any object WEB-SERVER eq 80
access-list outside_access_in permit tcp any object WEB-SERVER eq 443
The above does the Static PAT (or Port Forward) for your DMZ server and allows the traffic on the ACL.
- Jouni
Similar Messages
-
Static NAT Question - Public to Inside ASA 9.1x
Hi All.. I'm having hard time wrapping my head around the post 8.2 nat statements, please help.
I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses (this is a video streaming relay server). It also need to be able to push the stream to a specific IP address as well. I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:
Remote Public IP's: 77.88.99.11
Local Public IP: 12.12.12.1
Ports required:
object-group service srvgp-stream-remote
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destionation eq 8088
service-object tcp destination eq 1935
service-object udp destination range 6970 9999
service-object udp destination range 30000 65000
service-object udp destination eq 554
I can get this to work:
object network server-external-ip
host 12.12.12.1
object network webserver
host 192.168.1.100
nat (dmz,outside) static server-external-ip service tcp 8088 8088
access-list acl-outside extended permit tcp host 77.88.99.11 object AngelEye eq 8088
But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax. Additionally, would this provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?
Any help is greatly appreciated.With that many ports, you should use the public IP exclusively for the Webserver:
object network webserver
host 192.168.1.100
nat (dmz,outside) static server-external-ip
If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:
nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote -
Configuring a5505 setup public server + DMZ
Please bear with me, as am I utter new to the a5505 and Cisco products in general.
Setup:
LAN (192.168.1.X, with .3 as gateway)
DMZ (192.168.2.X with .1 as gateway)
WAN (X.X.X.146 as primary public IP, .145 as gateway and .147-150 as additional public IPs)
I want to set it up so that X.146 is where all my outbound traffic appears to originate.
I want tcp HTTPS and SMTP to be allowed from the WAN (via the X.147 IP) to a specific server (192.168.1.11) on the LAN.
Also, HTTP traffic to X.148, X.149 and X.150 should go to DMZ and 192.168.2.8, 192.168.2.15 and 192.168.2.18 respectively, but I haven't added that to my config yet. Looking to get the HTTPS and SMTP ones working first, then I'll fix the others (one step at a time)
I've got contact with the outside world when I've configured it using the ASDMs "Public Server" interface, but it refuses to properly establish the connection, I get a "SYN timeout".
I'm sure it is a simple mistake I've made someplace, but some of this stuff is greek to me sofar, I must admit..
My config:
: Saved
ASA Version 8.2(5)
hostname kcisco
enable password X encrypted
passwd X encrypted
names
name X.X.X.144 outside-network
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 5
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.146 255.255.255.248
interface Vlan5
description DMZ interface
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
ftp mode passive
clock timezone GMT 0
object-group service DM_INLINE_SERVICE_0
service-object gre
service-object tcp eq pptp
service-object udp eq isakmp
service-object udp eq 1701
service-object udp eq 1723
service-object udp eq 4500
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
port-object eq https
port-object eq smtp
access-list outside_access extended permit tcp any object-group DM_INLINE_TCP_3 host X.X.X.147 object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.147 192.168.1.11 netmask 255.255.255.255
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cc8458013e545e2e7ba1e2c0caa3dd6a
: end
no asdm history enableThanks, fixed that at least.
But still no further in getting the connection to be established.
I see this in my logs:
6 Oct 09 2012 15:29:22 Z.Z.Z.Z 42061 192.168.1.11 443 Built inbound TCP connection 1064 for outside:Z.Z.Z.Z/42061 (Z.Z.Z.Z/42061) to inside:192.168.1.11/443 (X.X.X.147/443)
6 Oct 09 2012 15:29:52 Z.Z.Z.Z 42061 192.168.1.11 443 Teardown TCP connection 1064 for outside:Z.Z.Z.Z/42061 to inside:192.168.1.11/443 duration 0:00:30 bytes 0 SYN Timeout
(Z.Z.Z.Z is the outside host I am testing from)
(I've connected the mailserver to the firewall and configured it to use the FW gateway (192.168.1.3) -
Nat (DMZ,outside) source dynamic any interface
Hi Everyone,
Need to confirm NAT statement below
nat (DMZ,outside) source dynamic any interface in version 9.1.
So above line means NAT from DMZ to outside.
Need to know that source here means that we are NATing IP from DMZ?
any interface means NAT IP will be of outside interface IP?
Regards
MAheshHi Mahesh,
The below NAT configuration
nat (DMZ,outside) source dynamic any interface
Means the following
The NAT configuration is for connection between "DMZ" and "outside". Basicly for connection FROM "DMZ" to "outside"
The translation is a "dynamic" translation
It accepts "any" source address from behind the "DMZ" interface
It uses the "outside" "interface" IP address as the PAT address
So its a basic Dynamic PAT translations for the hosts behind "DMZ" interface and accepts any source address/network you might have behind "DMZ"
- Jouni -
Am I correct that I need to NAT a public address to the private address of
my Windows server in order to have a fully functional Exchange server
in-house?
My ISP tells me I can give them the required information and they will
switch from them providing email to us handling it in-house but I have never
done this before.
TIA for any pointers.
-S-Steve,
> Am I correct that I need to NAT a public address to the private address of
> my Windows server in order to have a fully functional Exchange server
> in-house?
in general, yes.
> My ISP tells me I can give them the required information and they will
> switch from them providing email to us handling it in-house but I have never
> done this before.
I tend to be very skeptical about ISP's skills, therefore I'd be careful
about what they say and recommend. It's up to you (since you're the one
who has been dealing with them before) to decide if they're experienced
and trustworthy enough :-)
Said that, there is a configuration that allows you to retrieve your
messages from the ISP regularly, without having your server being
directly accessible through a public IP address (think about a PO box
instead of your standard mailbox in front of your house).
Essentially the ISP stores the incoming messages for you, and your
server will "get them" at regular intervals. Since the connection is
initiated by your server, you don't need to have a public IP address.
(you don't need a public IP address to SEND e-mails, so that's not an
issue).
I've never ran a mail server in this configuration, since it's usually
more typical for very small businesses, but it's possible.
Cat
NSC Volunteer Sysop -
Cisco ASA 9.1(1) Cannot Ping Public Server
Cisco ASA 9.1(1) I have defined a public server. Ping from outside fails. Packet Tracer shows the following:
Thank you for responding, Vibhor: Here are the pertinent NAT statements in my running configuration:
object network Grede-Test-Server
host xx.xx.xx.xx (Public IP Address)
description Grede Test Server Menocon
object network Grede-Test-Server-Private
host 10.1.104.21
description Grede-Test Server
nat (Inside-Test,Outside) source static Grede-Test-Server-Private Grede-Test-Server
Cheers,
M. -
Client Installation on DMZ workgroup server
Hi,
Please let me know how the DMZ workgroup client communicate with SCCM 2012 server which is in domain.
Also what client installation properties we need to mentioned while manully installing the client on DMZ workgroup server.
Whether PKI certificate will required for authentication?
I thing only http 80 port will required for communication, please correct if I am wrong.
Please suggest.
Regards
ParagA client in a workgroup and / or dmz has the same port requirements as any other client. For a complete list see:
http://technet.microsoft.com/en-us/library/hh427328.aspx;
For some guidance on installing a client on a workgroup server see:
http://technet.microsoft.com/en-us/library/gg712298.aspx;
It's not a ConfigMgr requirement that a client in a workgroup requires a PKI certificate.
The key is that the clients in the dmz can communicate and resolve the management point.
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude -
Conect clients to public server!
Hi everybody!
I want to conect clients to one public server. I read SAP meterrial and they constraint that SAP Business One does not support Microsoft Windows XP operating system in a server
configuration either as the SAP Business One Server or as a standalone system. I don't understand.
Could you explain for me!Hello,
you are right. The XP can't be used as server, means that you use it as server standalone and there is no client. You must use server that its OS is W2K3 standard or enterprise edition.
Actually SBO server standalone means that you install SQL server 2005 developer edition, SBO server and license server. if you use another XP and install SBO client there, you will fail to connect to server standalone. This server standalone also means that it will not publish in the LAN or WAN system
Rgds, -
New BM3.9 Install - Site 2 Site via PAT/NAT/DMZ?
We are setting up 2 new BM3.9 VMs (initially for Site 2 Site VPN) for a client but there ADSL Routers at each site only have Single Static IPs which are bound to the Router's Public address. I believe the Routers are also providing 'Dynamic NAT' for outbound traffic.
Would it be possible to set-up a Site 2 Site VPN and perhaps get the Routers to pass all VPN traffic (either using PAT or an all traffic DMZ LAN scenario) to the BM Servers. I am presuming within the Site 2 Site config of VPN Server - Site A you would point it at the Public address of Router - Site B (instead of the BM Server Public).....and vice versa.
Any comments would be greatly appreciated.
Cheers,
Richard.In article <[email protected]>, Rsargeant wrote:
> Would it be possible to set-up a Site 2 Site VPN and perhaps get the
> Routers to pass all VPN traffic (either using PAT or an all traffic DMZ
> LAN scenario) to the BM Servers. I am presuming within the Site 2 Site
> config of VPN Server - Site A you would point it at the Public address
> of Router - Site B (instead of the BM Server Public).....and vice
> versa.
>
Yes, it should work. While I've only configured one end of this (example
in my book of one BM server behind a Linksys port-forwarding router), it
should be ok to do on both ends. As long as you forward the proper ports
(or ALL traffic) to the BM, it will get the VPN traffic. The VPN
responses from the server tell the other side what public IP address to
use, which as you have surmised should be the public address of the
router in this case.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
NAT, DMZ single interface two firewalls... Create Edge topology
Hello,
I have a two firewall DMZ so I'm strugging to understand why the toplogy builder is asking me for the "Internal" IP of the edge server... the edge server is not internal (by design) it's in the perimeter network (DMZ) it does not
have an internal interface nor am I interested in giving it one (that's why I have firewalls).... Its NAT'd..
Is this explained somewhere ? How do I setup the topology wizard to understand my firewall configuration.. I see the NAT'd external IP.. obviously that's on the public side...
Thanks for help,
Steve LithgowAnthony's two posts win the PRIZE ! Ben get's runner-up !
It still baffles me why it is necessary to have an additional network in my DMZ. You are not increasing your level of security by increasing the complexity (security by obfuscation). The internal network can have persistent routes to the
DMZ IP of the Edge Server as well as firewall rules governing traffic by source IP to the internal network from the DMZ. A host with two interfaces that becomes compromised is no more secure than one with a single interface. Our firewall rules
are not based on "networks" to from DMZ.. they are based on source/destination IP's.
So basically.. my point is MS should not ASSume a particular firewall configuration and force this via the Topology builder... just my .02
Can anyone tell me if MS is doing some memory level protection in the Edge server to that masks the external facing process from internal ones or something really special? My guess is that the edge server is NOT ISA/TMG so......
To someone else's point.. that stated "You don't want the edge server to be your firewall" my response is you dang right ! But... in essence that is what you are doing by placing an internal interface on the edge server , firewall rules/routes
or not. That is what you are doing is creating a firewall leg on the edge server.
Thanks for all then FAST help ! Though I 'm still shaking my head a bit....
Steve Lithgow -
Need help setting up static NAT to internal server
One of my internal servers requires it to be available to the internet I am having a hard time allowing it to be NATed through my Ciscc 2801 router. It seems as though im missing something small. From what I can gather it seems as though its as issue with ACL, but im not sure. I have ran the following command: ip nat inside source static tcp 192.168.5.1 ***WAN IP Address*** 8443 extendable Then I tried to add it to the ACL
via this command: access-list 150 permit tcp any host ***WAN IP Address*** eq 8443
Here is a copy of my config. Please advise. Thanks.
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 102 permit tcp any host public ip eq 8443
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
endIf you are planning to use the fa0/1 interface IP itself then the configuration would be:
ip nat inside source static tcp 172.19.3.133 8443 interface fa0/1 8443 extendable
Assuming that you would like to port forward TCP/8443.
Then the ACL should be written:
ip access-list extended 102
2 permit tcp any host eq 8443 -
Public Server on 2 external interfaces
I suspect this is relatively simple, but I'm brand new to the Cisco line (and to the forums), so my apologies if I'm unclear or in violation of forum etiquette.
I have an ASA5515 which will be using 2 external interfaces, and I need to make a single internal server available to the outside world on both interfaces. I can accomplish this easily for the main external interface (the faster circuit), but I'm running into issues getting connections through on the backup circuit. Here's the interface configuration:
interface GigabitEthernet0/0
description ISP-2
nameif backup
security-level 0
ip address 10.177.188.22 255.255.255.248
interface GigabitEthernet0/1
description ISP-1
nameif outside
security-level 0
ip address 10.131.225.158 255.255.255.240
interface GigabitEthernet0/2
description LAN
nameif inside
security-level 100
ip address 192.168.2.250 255.255.255.0
I'd like outside (internet) users to be able to make an HTTP request on port 80 to 10.131.225.146, which comes in GigabitEthernet 0/1, gets translated to the internal web server at 192.168.2.1:80, and then any response traffic leaves GigabitEthernet 0/1, looking to the user like it originated form 10.131.225.146.
Additionally, I'd like the same user to be able to make an HTTP request on port 80 to 10.177.188.18, which comes in GigabitEthernet0/0, goes through the above translation, and then response packets exit via GigabitEthernet0/0.
I've been able to get most of the above working, but when working on the NAT rule for the backup side, packet-tracer tells me that my NAT is fine (it NATs the packet from 192.168.2.1:80 to 10.177.188.18:80, but it wants to then route that packet through the outside interface (GigabitEthernet0/1)
While I've been able to find many references to this on-line (such as this blog post), they all appear to be outdated, using pre-8.3 syntax.
I suspect I'm close on this, but I can't seem to get that last piece to make everything 'click'. Any help would be greatly appreciated.Basically you need three elements in your config:
An ACL-Entry on both interfaces allowing the needed traffic.
Two NAT-statements, one for each external interface.
A route to the Backup-NH with a higher AD.
object network SERVER-VIA-OUTSIDE
host 192.168.2.1
nat (inside,outside) static 10.131.225.146 service tcp 80 80
object network SERVER-VIA-BACKUP
host 192.168.2.1
nat (inside,backup) static 10.177.188.18 service tcp 80 80
access-list OUTSIDE-IN extended permit tcp any object SERVER-VIA-OUTSIDE eq 80
access-list BACKUP-IN extended permit tcp any object SERVER-VIA-BACKUP eq 80
access-group OUTSIDE-IN in interface outside
access-group BACKUP-IN in interface outside
route outside 0.0.0.0 0.0.0.0 NH-ON-OUTSIDE 1
route backup 0.0.0.0 0.0.0.0 NH-ON-BACKUP 100 -
Fails to connect to the Oracle yum public server
Hello,
I would like to connect to the Oracle public yum server so I can install packages from the Oracle Linux via a yum client for my RHEL 5.4
I am trying to download and copy the appropriate yum configuration file in place, by running the following commands as root:
Oracle Linux 5
# cd /etc/yum.repos.d
# wget http://public-yum.oracle.com/public-yum-el5.repo
--2011-10-29 15:53:41-- http://public-yum.oracle.com/public-yum-el5.repo
Resolving public-yum.oracle.com... 141.146.44.34
Connecting to public-yum.oracle.com|141.146.44.34|:80... failed: Connection timed out.
Retrying.
It disabled the Linux firewall by /etc/init.d/iptables stop but it still doesn't help.
Thank you.feverlove wrote:
--2011-10-29 15:53:41-- http://public-yum.oracle.com/public-yum-el5.repo
Resolving public-yum.oracle.com... 141.146.44.34
Connecting to public-yum.oracle.com|141.146.44.34|:80... failed: Connection timed out.This has nothing to do with the firewall (which only blocking incoming traffic, not outgoing traffic by default) and all to do with your routing. You have DNS properly configured, but you need to double-check your default gateway and other settings to make sure you can connect to a server on the internet directly. If you need to use a proxy server to make connections, you will have to configure that as well. -
DMZ - DNS Server, Mail Server, Web Server, FTP Server
Hi,
I am looking at a router to support around 20-30 people. I have a DNS Server, Mail Server, Web Server, FTP Server (all on one box (PC). I was wondering how everyones experiences with DMZ and port forwarding have been with these protocols with Airport and supporting a group of this size? Do you forsee issues? Will the new Airport handle these requirements better?
ThanksA record for mail.mydomain.com going for ip 199.99.99.999
MX record for mail.mydomain.com with destionation as mail.mydomain.com
That doesn't quite make sense. There must be an A record for "server.mydomain.com" or you wouldn't be able to reach it at all. You want the MX record to point to that. -
Public, Server Permissions, and Endpoints
I am seeking a good discussion of how to handle the impact of revoking connect to endpoint permissions for the public role. Up to this point, I've encountered several resources, including the Microsoft documentation, that recommend removing all server
permissions from public. I find this amusing due to the fact that all other logins inherit their permissions on the various endpoints from public. Of course, if I revoke connect for the endpoints from public, only system administrators can connect.
None of the sources that I've found address handling this issue. This reminds me a bit of the old South Park episode with the Underpants Gnomes and their business plan: Step 1 - Underpants, Step 2 - ?, Step 3 - Profit! In this case, it is
Step 1 - Revoke rights from public, Step 2 - ?, Step 3 - Security!
There is a comment on the SQL Server 2008 on-line documentation that recommends granting connect to endpoint to specific logins, but it does not supply any detail. I understand that Step 2 is highly dependent on factors that vary from location to location,
and application to application.
My question is whether there is a resource that details the considerations for granting connect to endpoint for the various endpoints and logins? I am looking for answers to questions like:
Is there a case in which one would have a login that was not granted connect to any endpoint?
Do logins like ##MS_PolicyTsqlExecutionLogin## need these rights, and if so, to which endpoints specifically?
I have a number of others, but I was hoping someone could provide me with a resource from which I could draw this information without having to chase all over the documentation. Thanks in advance!Rick,
First, thanks so much for the helpful reply! It validates what I was thinking.
For versions 2008, 2008 R2, and 2012, if you follow Administer Servers by Using Policy-Based Management -> Monitor and Enforce Best Practices by Using Policy-Based Management -> Server public Permissions, it advises, "Do not grant server permissions
to the server public role." The links below are for the 2012 version of this page:
http://technet.microsoft.com/en-us/library/cc645930.aspx
http://msdn.microsoft.com/en-us/library/cc645930(v=sql.110).aspx
You and "Quantum John" are listed as authors of a comment on the 2008 version of this page (http://technet.microsoft.com/en-us/library/cc645930(v=sql.100).aspx) that acknowledge
this problem. The last part of that comment is:
However, as mentioned in Harry Zheng's post on Dosql (http://dosql.com/cms/index.php?option=com_content&view=article&id=96:sql-server-best-practice-policy-public-not-granted-server-permissions&catid=40:microsoft-sql-server&Itemid=41),
executing the following command:
REVOKE CONNECT ON ENDPOINT::[TSQL Default TCP] FROM public
while best practice, is nevertheless liable to get you in deep trouble on a production server unless you also execute:
GRANT CONNECT ON ENDPOINT::[TSQL Default TCP] to [loginname]
for each of your logins, because without this, no-one except sysadmins will have permission to connect to your instance via TCP.
It refers to performing the revoke connect on endpoint as best practice, which we agree is arguable. Unfortunately, Harry Zheng's post is a dead link. None of the later editions of this page are commented on in any way.
Further, the policy referenced by this documentation, "Public Not Granted Server Permissions," is distributed with SQL Server and evaluates @PublicServerRoleIsGranted. It flags this policy as failed if any connect to endpoint is granted to public.
Fortunately, I'm one of those that insists on testing before moving forward with any change. I also cannot leave gaps in my knowledge unfilled, which is why I posted. Again, thanks for the assistance!
Maybe you are looking for
-
No Applicable data in Jump Report
Hi All, I am having some issue with jump report.We are able to see the data in multiprovider of both main and jump one..when we check in report for Asia region i am able to see data in main report but when we go to jump report i am getting No Applica
-
Addition of new column into SAP query program
Hi freinds, There is a query program(joins EKKO,EKPO) which contains columns like vendor,purchase doc,item,material and material description etc.. I need to insert a new column 'Supplying plant' in 2nd position after vendor column...When I try to add
-
Problem with scalable Flash...
Hello all, I'm having trouble getting a Flash file to scale properly in my document: http://www.bm-group.co.uk/testspace/fandf/index.html The idea is the large central Flash file should occupy one half of the page, the solid green area with the white
-
Uninstalled Bonjour, now startup error message.
I have just set up a network using an Airport Extreme router. The users on the network all use Windows XP. The printer connected to the Airport is an HP 3050 AIO. Bonjour would see the printer but would not send print jobs. SWet the printer connectio
-
How to update Bios (MS-6330)?
I don't know how to flash my Bios. My version now is 2.70 and the latest is 3.6 or something like this. When I pressed the install sh. button and downloaded the latest version I have to put some Data on a floppy disk to save and flash bios. But when