Results 1 to 4 of 4
  1. #1

    ASA config advice

    Hello,


    As a recent security requirement, we segregated wireless access from local LAN via another interface on our ASA. While that works wonderfully for anything not on the local network, the wireless users can't access the services published on the ASA outside interface's public IP, namely web and VPN access back to the network.

    I've done a lot looking around on how to allow access to the public IP of the outside interface from an inside interface and haven't been able to get anywhere. I think some of my issues is that there are forwarded ports on the same external IP as the VPN peer address. Hopefully someone can point me in the right direction.

    Here's what I need to accomplish:
    * Users on the wi-fi network are assigned a 192.168.99.0/24 address.
    * Wi-fi users need to be able to access tcp/80 & tcp/443 on the public IP of the outside interface. Those ports are pat'd to a host on the inside interface.
    * Wi-fi users need to be able to connect to the VPN for inside LAN access. The VPN peer is the public IP of the outside interface.

    I've tried just about everything I can think of and multiple configurations that don't accomplish what I need done.

    Any advice on where to look or configuration advice is greatly appreciated!

    Thanks!

  2. #2
    Join Date
    Jun 2006
    Location
    Calgary, Alberta
    Posts
    688
    Can you post your configuration your running?

    Sounds like some routing needs to be done.

  3. #3
    Join Date
    Jun 2003
    Posts
    364
    Hi,

    I don't believe this is possible on an ASA as the PAT is only applied to the ip nat outside interface.
    Common sense is not so common.

  4. #4
    Thanks for the replies. I'm not sure it can be done either given how the ASAs operate but I'd like to find out one way or another. Getting the bigger hammer just hasn't worked so far.

    Here's the current config:

    Code:
    names
    name 192.168.5.0 vpn-clients
    name 192.168.100.0 hosting-web
    name 192.168.112.0 hosting-db
    name 192.168.116.0 hosting-lbal
    name 192.168.212.0 dr-db
    name 192.168.216.0 dr-lbal
    name 192.168.200.0 dr-web
    name 65.208.98.128 id-analytics
    name 192.168.1.7 hqserver
    name 192.168.99.19 ksout
    name 192.168.1.0 hq-clients
    name 10.180.0.0 hosting-cloud-1
    name 10.180.32.0 hosting-cloud-2
    name 10.180.64.0 hosting-cloud-3
    name 10.180.96.0 hosting-cloud-4
    name 192.168.50.0 dr-servers
    name 192.168.1.250 pbx1
    name 4.4.4.18 pub-fw
    name 4.4.4.19 pub-ksout
    name 4.4.4.20 pub-pbx1
    name 4.4.4.21 pub-21
    dns-guard
    !
    interface Ethernet0/0
     nameif outside
     security-level 0
     ip address pub-fw 255.255.255.240 
     ospf cost 10
    !
    interface Ethernet0/1
     nameif wifi
     security-level 25
     ip address 192.168.99.1 255.255.255.0 
     ospf cost 10
    !
    interface Ethernet0/2
     nameif hqlan
     security-level 100
     ip address 192.168.1.1 255.255.255.0 
     ospf cost 10
    !             
    interface Ethernet0/3
     description LAN/STATE Failover Interface
    !
    interface Management0/0
     nameif management
     security-level 100
     ip address 172.16.100.1 255.255.255.0 standby 172.16.100.2 
     ospf cost 10
     management-only
    !
    boot system disk0:/asa725-k8.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns server-group DefaultDNS
     name-server 8.8.4.4
     name-server 8.8.8.8
     domain-name hq.net
    same-security-traffic permit inter-interface
    object-group network hosting
     network-object hosting-web 255.255.255.0
     network-object hosting-db 255.255.255.0
     network-object hosting-lbal 255.255.255.0
     network-object hosting-cloud-1 255.255.224.0
     network-object hosting-cloud-2 255.255.224.0
     network-object hosting-cloud-3 255.255.224.0
     network-object hosting-cloud-4 255.255.224.0
    object-group network hq
     network-object hq-clients 255.255.255.0
    object-group network dr
     network-object dr-web 255.255.255.0
     network-object dr-db 255.255.255.0
     network-object dr-lbal 255.255.255.0
     network-object dr-servers 255.255.255.0
    object-group service DM_INLINE_TCP_1 tcp
     port-object eq 8192
     port-object eq 8193
     port-object eq 8194
     port-object eq 987
     port-object eq www
     port-object eq smtp
     port-object eq https
    object-group service sip_ports tcp-udp
     port-object range sip 5090
     port-object range 10000 20000
    object-group protocol TCPUDP
     protocol-object udp
     protocol-object tcp
    object-group network public-ips
     network-object host pub-fw
     network-object host pub-ksout
     network-object host pub-pbx1
    access-list hqVLANS extended permit ip any interface  
    access-list hqVLANS extended permit ip any interface  
    access-list hqVLANS extended permit ip any interface  
    access-list management_nat0_outbound extended permit ip any hq-clients 255.255.255.0 
    access-list management_nat0_outbound extended permit ip any vpn-clients 255.255.255.0 
    access-list management_nat0_outbound extended permit ip any id-analytics 255.255.255.224 
    access-list outside_1_cryptomap extended permit ip object-group hq object-group hosting 
    access-list outside_cryptomap_65535.20 extended permit ip any object-group hq 
    access-list outside_2_cryptomap extended permit ip object-group public-ips id-analytics 255.255.255.224 
    access-list outside_access_in extended permit icmp any any 
    access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1 
    access-list outside_access_in extended permit udp any any eq ntp 
    access-list outside_access_in extended permit object-group TCPUDP any host pub-pbx1 object-group sip_ports 
    access-list outside_access_in extended permit ip vpn-clients 255.255.255.0 object-group hq 
    access-list clients_nat0_outbound extended permit ip hq-clients 255.255.255.0 object-group hosting 
    access-list clients_nat0_outbound extended permit ip hq-clients 255.255.255.0 object-group dr 
    access-list clients_nat0_outbound extended permit ip hq-clients 255.255.255.0 vpn-clients 255.255.255.0 
    access-list clients_nat0_outbound extended permit ip object-group hq vpn-clients 255.255.255.0 
    access-list clients_nat0_outbound extended permit ip hq-clients 255.255.255.0 192.168.99.0 255.255.255.0 
    access-list outside_3_cryptomap extended permit ip object-group hq object-group dr 
    access-list wifi_access_in extended permit ip 192.168.99.0 255.255.255.0 any 
    access-list wifi_access_in extended permit ip host pub-fw 192.168.99.0 255.255.255.0 
    access-list split_tunnel extended permit ip object-group hq any 
    access-list wifi_nat_static extended permit ip host 192.168.99.250 host pub-fw 
    pager lines 24
    logging enable
    logging timestamp
    logging standby
    logging buffer-size 65535
    logging buffered warnings
    logging trap notifications
    logging asdm informational
    logging device-id hostname
    mtu outside 1500
    mtu wifi 1500
    mtu hqlan 1500
    mtu management 1500
    ip local pool vpn-pool 192.168.5.100-192.168.5.199 mask 255.255.255.0
    failover
    failover lan unit primary
    failover lan interface failover Ethernet0/3
    failover key *****
    failover link failover Ethernet0/3
    failover interface ip failover 10.255.250.1 255.255.255.0 standby 10.255.250.2
    no monitor-interface management
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-525.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 101 interface
    global (outside) 1 pub-21 netmask 255.0.0.0
    global (wifi) 102 interface
    nat (wifi) 101 192.168.99.0 255.255.255.0
    nat (hqlan) 0 access-list clients_nat0_outbound
    nat (hqlan) 101 hq-clients 255.255.255.0
    nat (management) 101 0.0.0.0 0.0.0.0
    static (hqlan,outside) tcp interface 8193 hqserver 8193 netmask 255.255.255.255 
    static (hqlan,outside) tcp interface 8194 hqserver 8194 netmask 255.255.255.255 
    static (hqlan,outside) tcp interface 987 hqserver 987 netmask 255.255.255.255 
    static (hqlan,outside) tcp interface 8192 hqserver 8192 netmask 255.255.255.255 
    static (hqlan,outside) tcp interface https hqserver https netmask 255.255.255.255 
    static (hqlan,hqlan) tcp interface www hqserver www netmask 255.255.255.255 
    static (wifi,outside) pub-ksout ksout netmask 255.255.255.255 
    static (hqlan,outside) pub-pbx1 pbx1 netmask 255.255.255.255 dns 
    static (wifi,wifi) interface  access-list wifi_nat_static 
    no threat-detection statistics tcp-intercept
    access-group outside_access_in in interface outside
    access-group wifi_access_in in interface wifi
    route outside 0.0.0.0 0.0.0.0 4.4.4.17 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    ldap attribute-map LDAPMappings
      map-name  memberOf cVPN3000-IETF-Radius-Class
      map-value memberOf "CN=hq VPN Access,OU=Groups,OU=hq,DC=hq,DC=net" hq
    aaa-server activedirectory protocol radius
    aaa-server LDAP protocol ldap
    aaa authentication ssh console LOCAL 
    aaa authentication http console LOCAL 
    aaa authentication enable console LOCAL 
    http server enable
    http 172.16.100.0 255.255.255.0 management
    http hq-clients 255.255.255.0 hqlan
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    service resetoutside
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_65535.20
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption aes
     hash md5
     group 5
     lifetime 86400
    crypto isakmp policy 30
     authentication pre-share
     encryption aes
     hash sha
     group 5
     lifetime 86400
    crypto isakmp policy 50
     authentication pre-share
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 70
     authentication pre-share
     encryption aes-192
     hash sha     
     group 2
     lifetime 86400
    crypto isakmp policy 90
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh hq-clients 255.255.255.0 hqlan
    ssh 172.16.100.0 255.255.255.0 management
    ssh timeout 5
    ssh version 2
    console timeout 0
    management-access management
    ntp server 169.229.70.64 source outside prefer
    group-policy DfltGrpPolicy attributes
     banner none
     wins-server none
     dns-server value 192.168.1.7 192.168.1.242
     dhcp-network-scope none
     vpn-access-hours none
     vpn-simultaneous-logins 3
     vpn-idle-timeout 30
     vpn-session-timeout none
     vpn-filter none
     vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
     password-storage disable
     ip-comp disable
     re-xauth disable
     group-lock none
     pfs disable
     ipsec-udp disable
     ipsec-udp-port 10000
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list none
     default-domain value hq.local
     split-dns none
     intercept-dhcp 255.255.255.255 disable
     secure-unit-authentication disable
     user-authentication disable
     user-authentication-idle-timeout 30
     ip-phone-bypass enable
     leap-bypass disable
     nem disable
     backup-servers keep-client-config
     msie-proxy server none
     msie-proxy method no-modify
     msie-proxy except-list none
     msie-proxy local-bypass disable
     nac disable
     nac-sq-period 300
     nac-reval-period 36000
     nac-default-acl none
     address-pools value vpn-pool
     smartcard-removal-disconnect enable
     client-firewall none
     client-access-rule none
     webvpn
      functions url-entry
      html-content-filter none
      homepage none
      keep-alive-ignore 4
      http-comp gzip
      filter none
      url-list none
      customization value DfltCustomization
      port-forward none
      port-forward-name value Application Access
      sso-server none
      deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
      svc none    
      svc keep-installer installed
      svc keepalive none
      svc rekey time none
      svc rekey method none
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression deflate
    group-policy hq internal
    group-policy hq attributes
     dns-server value 192.168.1.7 192.168.1.242
     vpn-tunnel-protocol IPSec 
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split_tunnel
     default-domain value hq.local
     split-dns value hq.local 
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map global_policy
     class inspection_default
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny 
      inspect sunrpc 
      inspect xdmcp 
      inspect sip 
      inspect netbios 
      inspect tftp 
    !
    service-policy global_policy global
    prompt hostname context

Similar Threads

  1. I need advice on server config
    By jpmaster in forum Dedicated Server
    Replies: 10
    Last Post: 09-06-2009, 10:04 AM
  2. Need advice for build a correct Webalizer config file
    By dotcom22 in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 07-27-2009, 07:12 AM
  3. My current laptop config. Advice needed
    By 40sixty in forum Computers and Peripherals
    Replies: 4
    Last Post: 04-12-2008, 02:43 PM
  4. advice on webdav config at zettai.net
    By orixilus in forum VPS Hosting
    Replies: 1
    Last Post: 04-16-2006, 10:50 AM
  5. need advice on mod_security config
    By kami in forum Hosting Security and Technology
    Replies: 1
    Last Post: 04-21-2005, 09:09 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •