|
Posted by Scott Perry on August 22, 2008, 5:05 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Question #1: Is there a way to have the ASA reply to ICMP pings on outside
for addresses 85.1.1.2 and 85.1.1.3?
Answer #1:
Yes, change from translating just inbound TCP port 21 and inbound TCP port
80 to everything for that IP address and then apply an access-list to
inbound traffic to filter everything except FTP, HTTP, and ICMP.
no static (inside,outside) tcp 85.1.1.2 80 10.1.1.2 21 netmask
255.255.255.255
no static (inside,outside) tcp 85.1.1.3 80 10.1.1.2 21 netmask
255.255.255.255
no static (inside,outside) tcp 85.1.1.2 80 10.1.1.2 80 netmask
255.255.255.255
no static (inside,outside) tcp 85.1.1.3 80 10.1.1.2 80 netmask
255.255.255.255
!
static (inside,outside) 85.1.1.3 80 10.1.1.2 netmask 255.255.255.254
!
access-list inbound remark * FTP to 85.1.1.2 and 85.1.1.3
access-list inbound permit tcp any 85.1.1.2 255.255.255.254 eq 21
access-list inbound remark * HTTP to 85.1.1.2 and 85.1.1.3
access-list inbound permit tcp any 85.1.1.2 255.255.255.254 eq 80
access-list inbound remark * PING to 85.1.1.2 and 85.1.1.3
access-list inbound permit icmp any 85.1.1.2 255.255.255.254 echo
!
access-group inbound in interface outside
Question #2: Will the inspect FTP works fine, the documentation is not
clear, will the ASA thinks it is FTP because it is port 21 on outside, or
will it ignore FTP because of the 2021..2024 port on inside?
Answer #2:
No idea. You will probably have to try it for yourself. 2 out of 3
questions answered for free is still a big bonus for you.
Question #3: Works fine, bu, I can't access to the ASA CLI using SSH, I
looked in the documentation, but I cant' find a way to have ASA listen on an
alternate port for the SSH ASA CLI? Any clue?
Answer #3:
You cannot ever reach an IP address on an interface of a fireall from
another side of a firewall. It just doesn't work like that. The static NAT
translation from the outside of the firewall to the firewall's own inside IP
address is not the way to go and will not work. Just allow SSH from the
outside, if you are willing to permit this.
no static (inside,outside) tcp interface ssh 10.1.1.1 ssh netmask
255.255.255.255
!
access-list inbound remark * SSH from the Internet
access-list inbound premit tcp any host 8.1.1.1 eq ssh
!
access-group inbound in interface outside
!
ssh 0.0.0.0 0.0.0.0 outside
!
crypto key zeroize rsa
crypto key generate rsa modulus 1024
-----
Scott Perry
Indianapolis, IN
-----
> Hello,
>
> I have an ASA box running 7.2 with few static and few questions..
>
> Let's say that the outside IP address is 85.1.1.1 and we have 4 statics
> for 2 web servers, and 2 FTP servers (access-lists and access-group are
> OK)
>
>
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address 85.1.1.1 255.255.255.192
> !
>
>
> static (inside,outside) tcp 85.1.1.2 80 10.1.1.2 80 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.3 80 10.1.1.3 80 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.2 21 10.1.1.4 21 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.3 21 10.1.1.5 21 netmask
> 255.255.255.255
>
>
> My first question is the ASA is replying to pings on the outside
> interface address 85.1.1.1, that's fine, but is there a way to have the
> ASA reply to ICMP pings on outside for addresses 85.1.1.2 and 85.1.1.3?
> Because for users if it does not ping, then it does not work...
>
> Second question is about static, inspec and FTP, I want to setup
> multiple virtual FTP servers using proftpd on a linux box (linux has a
> single IP so proftpd will listen on multiple ports: 2021, 2022, 2023,
> 2024...)
>
> The static would look like:
>
>
> static (inside,outside) tcp 85.1.1.11 21 10.1.1.100 2021 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.12 21 10.1.1.100 2022 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.13 21 10.1.1.100 2023 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.14 21 10.1.1.100 2024 netmask
> 255.255.255.255
>
> Will the inspect FTP works fine, the documentation is not clear, will
> the ASA thinks it is FTP because it is port 21 on outside, or will it
> ignore FTP because of the 2021..2024 port on inside?
>
> Last one, is about SSH access to the ASA CLI, I had to do a static on
> the outside address and port 22:
>
> static (inside,outside) tcp interface ssh 10.1.1.1 ssh netmask
> 255.255.255.255
>
> Works fine, bu, I can't access to the ASA CLI using SSH, I looked in the
> documentation, but I cant' find a way to have ASA listen on an alternate
> port for the SSH ASA CLI? Any clue?
>
> Thanks for your attention and your helping.
>
> Best regards.
>
> Laurent.
>
>
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map