Cisco – VPN , DMZ services port forwarding ASA

ciscocisco-asanat;

Hey i am a bit confused about port forwarding and how is suppose to work.

In the lab , i set up VPN access to the outside interface and that works find.
Users contacting the outside interface of ASA with ip 10.177.5.40 are prompted to download cisco any connect etc. This is done when a user types the ip in the browser and automatically gets redirected to a https page. port 443

Now i want users from the outside to have access to my DMZ server services HTTP and FTP. Users by typing the http: //10.177.5.40 or ftp: //10.177.5.40 to get access to dmz services. Is it possible or i have to use another ip like 10.177.5.41 .

After watching tutorials for some hours now i have to admit i am more confused that before 🙂

Best Answer

Clients can download the software vpn client only if they access the ip via https port 443, i.e. https://10.177.5.40, unless there is automatic redirection from http to https at the client.

Therefore ports 80 http and ftp on the same ip address are free for you to use, take a look at the section: Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) in Cisco ASA Firewall configuration guide.

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/nat_objects.html#wpxref67001

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Further reading: ISR static routing

I cannot get an ip address right now from the DHCP server (Windows). Any insight into why?

Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.

From what I can gather from your topology and configuration, the subnets 172.19.3.0/24, 172.19.12.0/28 and 172.20.100.0/27 should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.

You can remove the ip helper-address syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.

interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27

Router NAT – How to Query NTP Through Router

You updated to say that no UDP appears to be working.

I am not familiar with your product, but I have seen this type of behavior when the device uses a stateful firewall and it is configured to only allow inbound "established" traffic.

TCP will establish a connection, but UDP does not. To allow UDP return traffic, you typically have to allow "related" traffic in addition to established traffic.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Router NAT – How to Query NTP Through Router

Related Topic