The other day I had to configure a Static nat entry on a 8.2 ASA. It
had been a while since I had done this since almost everything I work
with is 8.3 and above. I thought I would make an entry for myself and
maybe to help someone along the way.
Example – I have public IP 1.1.1.10 and I need to forward in port 443
to my internal server of 192.168.1.10. I have an access-list Outside-IN
applied to my outside interface. Note if the 1.1.1.10 is my outside
interface IP (lets say I have only one public IP) then we would use the interface key word
ASA config –
config t
static (inside,outside) tcp 1.1.1.10 443 192.168.1.10 443
access-list Outside-IN permit tcp any host 1.1.1.10 eq 443
or
static (inside,outside) tcp interface 443 192.168.1.10 443
access-list Outside-IN permit tcp any host 1.1.1.10 eq 443
That’s it!
Compared to 8.3 and above –
object network 192.168.1.10
host 192.168.1.10
nat (inside,outside) static interface service tcp 443 443
access-list Outside-IN permit tcp any host 192.168.1.10 eq 443 — Notice the internal IP.
Resource:
http://travelingpacket.com/2014/08/04/cisco-asa-8-2-and-below-static-nat/
Thursday, November 19, 2015
How to configure static NAT on a Cisco ASA security appliance
Two of the most common forms of network address translation (NAT) are dynamic port address translation (PAT) and static NAT.
PAT is the many-to-one form of NAT implemented in many
small office and home networks where many internal hosts, typically
using RFC 1918 addresses such as 192.168.0.0/24,
share a single external address on the public Internet. Static NAT is a
one-to-one mapping which is used when an internal host needs to be
accessible from the public Internet or some other external network.
RESOURCES: Cisco how-to guides for firewalls, IPv6, contact centers and taking that security exam
In this article I'll explain how to configure static NAT to make an internal Web server accessible from an external network. The same concept applies when you want to make any internal server accessible from an external network, whether it's a Web server, a mail server, an FTP server, or any other type of server or device.
This is based on ASA software Version 9.0(1) and applies to Version 8.3 and later. There is a companion video available here.
Use the following diagram with this documentation. This diagram uses RFC 1918 addresses. In the real world, the outside interface would most likely be configured with a registered, public address.
There are four steps involved in enabling static NAT:
1. Create the network object and static NAT statement. A network object must be created identifying the internal host. Within the network object, you must also create a static NAT statement to identify the outside interface, its IP address, and the type of traffic to be forwarded: object network InternalHost host 192.168.102.5 nat (inside,outside) static interface service tcp 80 80.
2. Create a NAT statement identifying the outside interface. Note that, in the static NAT statement above, the use of the term interface tells NAT to use whatever address is on the outside interface. The first use of 80 identifies the originating port number. The second use of 80 identifies the destination port number.
3. Build the Access-Control List. Build the Access-Control List to permit the traffic flow (this statement goes on a single line): access-list OutsideToWebServer permit tcp any host 192.168.102.5 eq www.
4. Apply the ACL to the outside interface using the Access-Group command: access-group OutsideToWebServer in interface outside. This is the complete configuration:
When successfully implemented, this configuration will permit a host on the outside network, such as the public Internet, to connect to the internal Web server using the address on the ASA's outside interface.
For example, you have a /29 block of addresses assigned by your ISP. Also, suppose you have a mail server using POP3 and SMTP and a Web server using HTTP and HTTPS on the inside network. You want each of the servers to be reachable via different outside addresses. You can configure static NAT to accomplish this (see diagram, and again, in the real world the outside interface would probably be configured with registered, public addresses instead of the RFC 1918 addresses shown here).
The steps are similar for single-address static NAT configuration:
1. Configure network objects. Configure a network object for each internal host with a static NAT static statement specifying the outside address to be used and the service types (port numbers) to be forwarded. These identify the internal hosts, the desired outside IP address, and the type of service to be forwarded. (The exclamation marks are for formatting to improve readability and are not required for the configuration.)
Note that in the above configurations the host statement
identifies the internal server (192.168.102.5 is the Web server and
192.168.102.6 is the mail server). The NAT statement identifies the
external address used to forward the specified packets to the internal
host.
2. Configure Access-Control Lists to permit the traffic flows. This Access-Control List permits the traffic flows against the security levels (each access-list statement goes on a single line).
Resource:
http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
Wireless network engineers, network admins, and network security pros can expect above-average pay
Read Now
Read Now
RESOURCES: Cisco how-to guides for firewalls, IPv6, contact centers and taking that security exam
In this article I'll explain how to configure static NAT to make an internal Web server accessible from an external network. The same concept applies when you want to make any internal server accessible from an external network, whether it's a Web server, a mail server, an FTP server, or any other type of server or device.
This is based on ASA software Version 9.0(1) and applies to Version 8.3 and later. There is a companion video available here.
Use the following diagram with this documentation. This diagram uses RFC 1918 addresses. In the real world, the outside interface would most likely be configured with a registered, public address.
There are four steps involved in enabling static NAT:
1. Create the network object and static NAT statement. A network object must be created identifying the internal host. Within the network object, you must also create a static NAT statement to identify the outside interface, its IP address, and the type of traffic to be forwarded: object network InternalHost host 192.168.102.5 nat (inside,outside) static interface service tcp 80 80.
2. Create a NAT statement identifying the outside interface. Note that, in the static NAT statement above, the use of the term interface tells NAT to use whatever address is on the outside interface. The first use of 80 identifies the originating port number. The second use of 80 identifies the destination port number.
3. Build the Access-Control List. Build the Access-Control List to permit the traffic flow (this statement goes on a single line): access-list OutsideToWebServer permit tcp any host 192.168.102.5 eq www.
4. Apply the ACL to the outside interface using the Access-Group command: access-group OutsideToWebServer in interface outside. This is the complete configuration:
When successfully implemented, this configuration will permit a host on the outside network, such as the public Internet, to connect to the internal Web server using the address on the ASA's outside interface.
Configuring the ASA with multiple outside interface addresses
It is not possible to assign multiple IP addresses to the outside interface on a Cisco ASA security appliance. It is possible, however, to configure the ASA to forward different outside addresses to different hosts on the inside network.For example, you have a /29 block of addresses assigned by your ISP. Also, suppose you have a mail server using POP3 and SMTP and a Web server using HTTP and HTTPS on the inside network. You want each of the servers to be reachable via different outside addresses. You can configure static NAT to accomplish this (see diagram, and again, in the real world the outside interface would probably be configured with registered, public addresses instead of the RFC 1918 addresses shown here).
The steps are similar for single-address static NAT configuration:
1. Configure network objects. Configure a network object for each internal host with a static NAT static statement specifying the outside address to be used and the service types (port numbers) to be forwarded. These identify the internal hosts, the desired outside IP address, and the type of service to be forwarded. (The exclamation marks are for formatting to improve readability and are not required for the configuration.)
object network WebServer-HTTP
host 192.168.102.5
nat (inside,outside) static 192.168.1.194 service tcp 80 80
!
object network WebServer-HTTPS
host 192.168.102.5
nat (inside,outside) static 192.168.1.194 service tcp 443 443
!
object network MailServer-SMTP
host 192.168.102.6
nat (inside,outside) static 192.168.1.195 service tcp 25 25
!
object network MailServer-POP3
host 192.168.102.6
nat (inside,outside) static 192.168.1.195 service tcp 110 110
2. Configure Access-Control Lists to permit the traffic flows. This Access-Control List permits the traffic flows against the security levels (each access-list statement goes on a single line).
access-list OutsideToInside permit tcp any host 192.168.102.5 eq 803. Apply the Access-Control List to the outside interface with an access-group statement.
access-list OutsideToInside permit tcp any host 192.168.102.5 eq 443
access-list OutsideToInside permit tcp any host 192.168.102.6 eq 25
access-list OutsideToInside permit tcp any host 192.168.102.6 eq 110
access-group OutsideToInside in interface outsideHere is the complete configuration:
Resource:
http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
Friday, August 28, 2015
Bandwidth (Easy Traffic Shaping in Cisco IOS)
If you followed my recent Cisco Catalyst rate-limiting
post, you already know that policing traffic on a Cisco Catalyst switch
requires a bit of thought. Mainly, you have to do a bit of calculating
to determine the best bucket size for your application. The good news
is that achieving the same affect on a Cisco IOS-based router is much
easier.
You can enable shaping on an interface (or sub-interface) in three easy steps. Just remember: class, policy, interface.
Wasn't that easy? How do your own experiences compare?
UPDATE: I recently added a post that discusses rate limiting based on time of day. Check it out!
You can enable shaping on an interface (or sub-interface) in three easy steps. Just remember: class, policy, interface.
Class
class-map match-any CLASS_SLAP
match any CLASS_SLAP class.Policy
policy-map POLICY_SLAP
class CLASS_SLAP
shape average 8000000CLASS_SLAP class (which, as you remember, is all traffic) and apply a shaping policy to it. We use the shape average 8000000 configuration command to limit our speed (the CIR) to 8 Mbps. Another configuration command available for a policy map is bandwidth, which has a similar effect. Unfortunately, a policy map utilizing the bandwidth configuration command can not be applied to a sub-interface. This limitation may not be a problem for you, though.Interface
interface GigabitEthernet0/3.429
encapsulation dot1Q 429
service-policy output POLICY_SLAPservice-policy
configuration command. In this example, I used a sub-interface to make
the example a little more applicable to real word circumstances. I've
also applied the policy map in the outbound direction. Thus, the users
of VLAN 429 are only allowed to download at an aggregate of 8 Mbps.Wasn't that easy? How do your own experiences compare?
UPDATE: I recently added a post that discusses rate limiting based on time of day. Check it out!
Wednesday, April 1, 2015
Exchange 2013 | The WS-Management service cannot process the request. The load quota for the system has been exceeded.
Like in the previous versions of Exchange (like 2010) you may receive
the following error when using the Exchange Management Shell on an
Exchange 2013 server.
Go to the Application Pools find the MSExchangePowerShellAppPool. Select this one and use right click to recycle this AppPool.
After you recycled the AppPool you will be able to use the Microsoft Exchange Management shell again.
VERBOSE: Connecting to XCH14.DomainX.local.To resolve this problem you need to go to the Internet Information Services (IIS) Manager.
New-PSSession : [xch14.DomainX.local] Connecting to remote server xch14.DomainX.local failed with the following error message : The WS-Management service cannot process the request. The load quota for the system has been exceeded. Send future requests at a slower rate or raise the system quota. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ConnectionURI “$connectionUri” -ConfigurationName Microsoft.Excha …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
Go to the Application Pools find the MSExchangePowerShellAppPool. Select this one and use right click to recycle this AppPool.
After you recycled the AppPool you will be able to use the Microsoft Exchange Management shell again.
Subscribe to:
Posts (Atom)