NAT and Port Forwarding on Cisco ASA with ASDM

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi there for today's video i'm going to teach you how to configure port forwarding plus static nat on a cisco asa so you can publish your web server over the internet people can reach to your web server without actually exposing so many things of that web server to the internet so a bit of security tips and how to on the asdm later on the second part of the video i'm going to teach you how to configure the cli part actually i already have a video that explains the whole thing excluding static not but that video doesn't have a good quality the audio is bad so i decided to re-record it and make it a little bit better so let's jump right in this is my test host that i'm gonna test the internet access the web server access from the public this is my web server on the dmz and this is my internal network which i have a host that i can test my access to the web server from the internal network let me actually show you the web server this is a host that i added to eventg if you don't know how to add your customized windows server or windows host into evng check this link so back to the server there is just is installed on the server nothing fancy it's just a default web page and basically your configuration on the web server is pretty much irrelevant to this situation you can also run apache or whatever service doesn't have to be a web server so as you can see there's nothing configured in here this is my web server so now let's test the web server and see if everything works correctly at least from the internal network and the traffic from the internal network should work just fine we should be able to reach the web server and the reason for that is because something known as security level in cisco asa you can assign an interface with a number from zero to 100 that defines a security level and traffic from a higher security level flows automatically to a lower one as you can see my inside network is 100 and the dmz is just 50. that means my internal host can automatically access the web server just fine and i don't have to configure any acl inspection or whatsoever i don't have to but i can so so far we've established that our web server is reachable so let me go to asdm and show you how this has been configured so far i have an object for ios server and this is the ip address in the dmz and i'm pretty sure you guys know how this has been set up just create a new object easy peasy right so the second one is an ip address from my public address space it's a hundred again i'm picking that from 254 ip addresses that i have available to me given to me by isp the reason i'm doing that is because this ip address is within the range a slash 24 ip address that like i said signed to me by the isp okay so far so good so let me go to the server this is the web server i showed you before let me try and go to the internet let me try and ping an ip address on the internet and it's not possible because there is no natural and there is a video how to open not how to translate addresses please check this video if you don't know how to the purpose of this video is not to give internet access to this server the purpose is to give outsiders access to this server so there's a difference one of the reasons i'm re-recording this video is because i want to show you guys what's the safe and secure way of opening public access to your web server obviously there is a difference and we just don't want for the sake of just letting it open just do something that is unsafe so let's go to the cisco asa under the nat section i'm going to create an ad rule in here which i'm going to put it after the objects i'm going to select the interface in here you don't have to it's not mandatory but it's a good practice and it's a good habit to have and the outside interface the source address should be the iis server this is a static node obviously if i want to do path obviously i should have created a bigger object that housed more ip addresses internal ip addresses in it but this is not the use case for us we just want to translate one to one or static and then in here i'm gonna select my public ip address since i have a lot of ip addresses to waste and then i'm going to click on ok so once i do that and then let's click apply once i do that my server will be able to access the internet let's check it from the point of view of the isp router let's make sure that we are getting translated to the correct ip address i'm going to turn on debugging on debug ipi cmp and let's ping the internet address again and then see whether we are getting correctly translated to 100 so our ip address is correct so our translation internal to external or static map or one to one that is working just fine and if you don't know what is static nat basically it means everything to everything so if i translate one to two everything that comes from two will be translated to one and the opposite just know this you know it's nothing fancy from security point of view does not have any benefit just know that this is going to be a static net or one to one that you guys are now wondering will it be enough will my server be accessible from the public no you still need something known as the acl and your question is why because traffic from the lower priority or lower security level will not flow to the highest one our outside is zero basically whatever comes in needs an acl if it wants to reach my internal resources or the dmz so 0 to 50 needs an acl how do we define that we will have to go into access rule under the firewall section access rule create an access rule and bind it to the correct interface in here i'm going to bind it to the outside the traffic is going to coming they're going to be coming from outside then i'm going to select the destination which is my iis server and then under the service section ip will do just fine we just want to be specific right you just don't want to open everything so i'm going to select tcp and then tcp is also too broad let's actually try and search for something very specific http how about that edge ttp yeah i'm gonna select that and then click on ok this way if traffic hits my firewall at least i will only allow http traffic it's time to test our solution let's jump into the host that i have on the outside on the internet and let's try to access this server from the outside okay let's open the page again private browsing makes me feel better okay so i can access my web server from the outside and for those of you that just want this to work this is pretty much enough those of you that are wrestling with the question is it secure i'm just going to be up front and say no that's because what if one of those adversaries use or exploit zero day to basically exfiltrate your data encrypt your server or cause audit in your environment take out your web server okay so let's teach you how we can fix this go to your nat rule and under the section that you specified the service and it's any just change it add a new service object and change it to port 80 give it a name whatever you like i just gave it capital http as if it's the god and then click on ok and then click on ok and click on apply you will be greeted with this page that these are the cli commands you're applying on the firewall let's just make a comparison in here i'm just nading everything on the firewall this is my rule now it will be changed to http and once i do that let me just show it to you show run that you can see that we are pretty much limited let's test it and of course i'm not able to get to the internet what's happening on the internet cycle let me just close this page open a new one and try to browse the service sure enough it works so it's much much safer approach than keeping the old one alive and of course i'm not able to get to anything from internal to external from external people can get to me and i can respond to them okay so so far so good just to make sure that we are on the same page this is not a hundred percent secure this is just better than before let me show you the other way that we can do this from the object level so far we i showed you how you can do this there is no natural right now i deleted the old one let's go under the object click on edit and under this object expand it and add a static nas rule in here i'm going to select my public ip address and then under the advanced section let's just first select outside an inside interface in this case dmz is my internal network outside is my external and then i'm going to set it to port 80 basically real port is 80 and i'm mapping it to port 80. then let's apply it notice the difference now it's under the object level so you have to go into your object and apply this configuration as you can see it's slightly dented so testing as usual we test everything that we sell in this channel so let's go back there copy it and then close this one open a browser no i don't trust you a private browsing session it's bulletproof sure enough my website is available to all the public people they can read the content and of course my server is relatively just relative it's more secure than before but it's not bulletproof i want to emphasize that so show run that again this is my config if you have any questions feel free to comment in the comment section below and of course uh let's not forget you guys know how to create an object you guys know how to create an acl and if you don't know the syntax it's pretty simple show run access list will show you the access list that i already have and access group command show on access group shows you how the acl is bound to the outside interface as always thank you guys for watching if you find this video useful please give it a thumbs up consider subscribing and answer this 10 million dollar question
Info
Channel: William Shanaei
Views: 403
Rating: undefined out of 5
Keywords: NAT, PAT, Cisco, ASA, Firewall, Configuration, Server, IIS, Apache, Port, Address, Translation, Network, 5505, 9.X, Redirection, Static, Dynamic, port-forwarding, Forwarding, Port Forwarding, Port Redirection, Appliance, CCNP, Security, CCNA, ASDM, GUI, easy, simple, security, setup
Id: cNaEsZSsxcg
Channel Id: undefined
Length: 12min 38sec (758 seconds)
Published: Thu Sep 16 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.