Firewall – Using a nat rule to translate 80/443 traffic to web server, but internal users cannot access it using external ip/domain name

cisco-asafirewallnat;port-forwardingrouting

I am using Cisco ASDM for ASA

I have my internal network called soa. My outside interface is called outside. Let's say my outside IP given to me by my ISP isp is y.y.y.y I have a web server inside my network with a static ip of x.x.x.110. I have configured 2 static nat rules (one for http the other for https).

Source is x.x.x.110. Interface is outside, service (http or https).

Maybe I am doing this wrong, but when I run the packet tracer, I choose outside interface and for the source IP I used 8.8.8.8 and the destination ip is my outside IP address, y.y.y.y

When I run that, it shows the packet traversing successfully, using 9 steps.

For my other test, I switch to the soa interface, input an ip on that network, and leave the destination the same. This test comes up with 2 steps and then fails on my access list.

When I see the rule that fails, it is my catch all which is source: any desitnation: any, service: ip action: deny.

What rule do I need to make to allow my soa network access to go out and come back in by my external IP addess (using a domain name attached to that ip in my dns, of course)?

Best Answer

Not sure about Cisco, but on Linux and *BSD this wont work. Even when you try to connect to the external address from the internal network, the packet never passes the external interface as the kernel is too clever, notices his own address and consumes the packet. As the packet never travels through your external interface, the NAT rule for port-forwarding never applies.

Read http://www.openbsd.org/faq/pf/rdr.html#reflect for some (BSD-biased) docs on this.

Related Solutions

Cisco ASA 5505; Can’t forward port 443: Why am I getting “Error: unable to download policy”

The Cisco ASDM runs on port 443, so you'll probably have to switch that to a different port before trying to forward 443 to an inside destination.

Cisco – Setting up a simple QoS priority flag for VoIP traffic on a Cisco ASA 5505 device through ASDM

To begin -- simple is not a word that should be used to describe Quality of Service. The entire word itself is a loaded term.

Instead of rehashing a lot of details about ASA QoS here, reference this answer.

Below is the ASA 8.4 CLI necessary to create a priority queue and handle a specific volume of calls based on a certain bitrate.

Understand that policing only happens in the out direction on the ASA interface on which it is configured.
Based on G.711 voice codec @ 87.5 kilobits per second Ethernet layer 2 data rate (includes all overheads)
Based on a 218 byte average complete Ethernet frame size per voice payload interval. For more see this.
Based on a need to handle 10 calls at a time (87.5 Kilobits per second * 10 = 875 Kilobits per second). Note that this is only in the out direction. We can't "prioritize" incoming traffic unless you control that path as well.
Based on a maximum delay of 200 milliseconds between the VoIP endpoints.
Using an extended access-list with source and destination IP for matching VoIP traffic. Another option is to use IP DSCP if the phones are marking. By using a simple ACL we can verify the service-policy later on with show service-policy flow.

Numbers used for queue-limit and tx-ring-limit determined using the worksheet in the configuration guide and then massaged. The numbers used here could be drastically different depending on your requirements.

access-list voip-traffic remark [[ match inside to Call Manager ]]
access-list voip-traffic extended permit ip 10.0.0.0 255.255.255.0 host 1.2.3.4

priority-queue outside
queue-limit 100  ! based on factors listed earlier, very important number
tx-ring-limit 5  ! based on factors listed earlier

! create class-map

class-map voip-class
 match access-list voip-traffic

! create policy-map, advise not using a global policy

policy-map outside-policy
 class voip-class
  priority

! assign policy to interface, in this case outside

service-policy outside-policy interface outside

In this case the outside-policy can be assigned to the outside interface and you can still implement a global-policy that is by its nature assigned to the outside interface as well -- as long as there are not QoS actions on any of the class's listed in the global-policy. The QoS actions of the outside-policy will be in effect and the non-QoS actions (inspects, etc.) of the global-policy will stay effect.

You can view priority-queue statistics with show priority-queue statistics outside.

You can verify that the traffic itself will hit the priority queue with a command like show service-policy flow host 10.0.0.100 host 1.2.3.4 which will show you how the existing service policies on all interfaces would react to the traffic specified.

Best Answer

Related Solutions

Cisco ASA 5505; Can’t forward port 443: Why am I getting “Error: unable to download policy”

Cisco – Setting up a simple QoS priority flag for VoIP traffic on a Cisco ASA 5505 device through ASDM

Related Topic