Be A Cisco Expert Without Course or Certification » Firewall

Accept Inbound Traffic To Servers Behind NAT

Yanurmal — Wed, 12 Nov 2008 08:09:39 +0000

This config to make inbound traffic to a web server in local network behind NAT.

Req:
- Private IP Address plan (eg. 192.168.1.0/24)
- Public IP Address plan (eg.100.1.2.3/30)
- Web Server (port 80) IP Address (eg.192.168.1.10)
- Standard NAT Config work properly

All incoming web traffic from the Internet that comes to 100.1.2.3 will be forwarded to 192.168.1.10

hostname CiscoNAT
!
enable secret 5 KjhKJGkj$57JHkkl98KJH
!
ip subnet zero
!
interface FastEthernet0/0
description LAN Interface
ip address 192.168.1.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0
description WAN Interface
ip address 100.1.2.3 255.255.255.248
ip nat outside
ip access-group 101 in
!
ip nat inside source static 192.168.1.10 80 interface Serial0
!
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any eq 80
!
line con0
line vty 0 4
login
password cisco
!
end

CLI Simple Cisco ASA/PIX Config

Yanurmal — Sat, 02 Feb 2008 08:25:15 +0000

This config is for simple config ASA/PIX firewall with 2 network interface. One for outside (Internet) and other for inside (LAN). All traffic from internal to external is accepted. All traffic from external to internal is droped.

Requirement:
- Cisco ASA/PIX with 2 network interface
- IP Public/Outside IP Address (ie: 65.1.1.x)
- IP Private/Inside IP Address (ie: 192.168.1.x)
- Next hop/Gateway IP Address (ie: 65.1.1.1)
- PIX/ASA ver.7.x or above

Firewall> enable
Password:
Firewall#
Firewall# config terminal
Firewall(config)# interface Ethernet0
Firewall(config-if)# nameif outside
Firewall(config-if)# security-level 0
Firewall(config-if)# ip address 65.1.1.2 255.255.255.0
Firewall(config-if)# speed 100
Firewall(config-if)# duplex full
Firewall(config-if)# exit

Firewall(config)# interface Ethernet1
Firewall(config-if)# nameif inside
Firewall(config-if)# security-level 100
Firewall(config-if)# ip address 192.168.1.1 255.255.255.0
Firewall(config-if)# speed 100
Firewall(config-if)# duplex full

Firewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Firewall(config)# global (outside) 1 65.1.1.3 netmask 255.255.255.224

Firewall(config)# route outside 0.0.0.0 0.0.0.0 65.1.1.1

Activate ASDM as GUI Interface for Cisco ASA/PIX Firewall

Yanurmal — Mon, 07 Jan 2008 15:44:34 +0000

pixfirewall> enable
Password:
pixfirewall# configure terminal
pixfirewall(Config)# interface ethernet1
pixfirewall(Config-if)# nameif inside
pixfirewall(Config-if)# ip address 192.168.1.1 255.255.255.0
pixfirewall(Config-if)# no shutdown
pixfirewall(Config-if)#

Activate ASDM and enable http server.

pixfirewall(Config)# asdm image flash:/asdm.bin.
pixfirewall(Config)# http server enable.

Open a connection for your PC. Example your pc IP address is 192.168.1.2

pixfirewall(Config)# http 192.168.1.2 255.255.255.255 inside

Make sure all your config running properly.

pixfirewall(Config)# show running http
http server enabled
http 192.168.1.2 255.255.255.255 inside
pixfirewall(Config)#

Now your Cisco ASA/PIX can be access from your PC.
Make sure your PC and Firewall has connected and open your web browser then enter this address https://192.168.1.1/admin