If you have a host that you want to be able to access from the outside of the firewall e.g. a webserver then this is the process you want to carry out. I didn’t find this process particularly intuitive and it highlighted why I don’t like GUI management interfaces, (in 6.4 the menu names have changed, this rendering a million blog pages inaccurate!)
I’m setting this up in EVE-NG on the work bench and this is what I’m trying to achieve;
So to access my web server from ‘outside‘ the firewall I need to give it a NATTED ‘public‘ address on 192.168.100.0/24. Here the server is on the LAN if yours is in a DMZ then substitute the DMZ interface for the inside one I’m using.
Solution
First task is to create a ‘Virtual IP‘, this will be the ‘public IP‘ that the web server will use. From the management interface > Policy and Objects > Virtual IPs > Create New > Virtual IP
‘Give it a sensible name, and add a comment if you wish > Set the interface to the public facing port > Type, set to ‘Static NAT‘ > External IP, (although it says range just type in the single public IP) > Internal IP = Enter the LAN IP > OK.
Firewall Policy > Create New.
Note: If your firewall is older then 6.4 the tab is called ‘IPv4 Policy‘
Give the entry a name > Incoming interface = the public interface > Outgoing Interface = the inside/LAN interface > Source = ALL > Destination = SET TO YOUR VIRTUAL IP > Schedule = Always > Service = ALL (though you can of course select http and or https in production) > DISABLE NAT. (Trust me I know that makes no sense) > OK.
Just to prove this is not all ‘Smoke and Mirrors‘ here’s my topology running in EVE-NG, and my external host (Named: Public-Client) Browsing to 192.168.100.110, and the Fortigate translates that to 192.168.1.123
Related Articles, References, Credits, or External Links
Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.
If you have a spare/available public IP address you can statically map that IP address to one of your network hosts, (i.e. for a mail server, or a web server, that needs public access).
This is commonly referred to as a ‘Static NAT’, or a ‘One to One translation’. Where all traffic destined for public address A, is sent to private address X.
Note: This solution is for firewalls running versions above version 8.3. If you are unsure what version you are running use the following article.
In the following example I will statically NAT a public IP address of 81.81.81.82 to a private IP address behind the ASA of 172.16.254.1. Finally I will allow traffic to it, (in this example I will allow TCP Port 80 HTTP/WWW traffic as if this is a web server).
Create a Static NAT and allow web traffic via ASDM
3. Give the ‘object’ a name (I usually prefix them with obj-{name}) > It’s a Host > Type in it’s PRIVATE IP address > Tick the NAT section (press the drop-down if its hidden) > Static > Enter it’s PUBLICIP address > Advanced > Source = Inside > Destination > Outside > Protocol TCP. Note: You could set this to IP, but I’m going to allow HTTP with an ACL in a minute, so leave it on TCP > OK > OK > Apply.
4. Now navigate to Firewall > Access Rule > Add > Add Access Rule.
5. Interface = outside > Permit > Source = any > Destination = PRIVATEIP of the host > Service > Press the ‘more’ button > Locate TCP/HTTP > OK > OK > Apply.
6. Then save your work with a File > Save Running Configuration to Flash.
Create a Static NAT and allow web traffic via Command Line
2. Log In > Go to enable mode > Go to configure terminal mode.
[box]
User Access Verification
Password:*******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: *******
PetesASA# conf t
PetesASA(config)
[/box]
3. First I’m going to allow the traffic to the host (Note: after version 8.3 we allow traffic to the private (per-translated IP address). This assumes you don’t have an inbound access list if you are unsure execute a “show run access-group” and if you have one applied substitute that name for the word ‘inbound’.
Warning before carrying out applying the ‘access-group’ command, see the following article;
Cisco DNS doctoring is a process that intercepts a DNS response packet as it comes back into the network, and changes the IP address in the response.
Why Would you want to do this? Well lets say you have a web server on your network, and its public IP is 111.111.111.111, and on your LAN its internal IP address is 192.168.1.100, its public DNS name, (or URL) is www.yoursite.com. When a user types www.yoursite.com into their browser, DNS will respond with the public IP of 111.111.111.111, and not the IP address thats on your LAN (192.168.1.100). The client can’t send the traffic out of the firewall, ‘hairpin’ it though 180 degrees and send the traffic back in again. So it fails. What DNS does is look for DNS response packets that have 111.111.111.111 in them and dynamically changes the ip in the packet to 192.168.1.100.
Are there any prerequisites? Only that the DNS server sending the response sends it response though the ASA, i.e. if you have your own DNS server onsite that serves the request (without a forward lookup or a root hint). then the DNS response does not go though the ASA so it can’t doctor it. This happens if you public website and your internal domain have the same name, or if your DNS server is authoritative for a domain with an IP address outside your network. To solve that problem your best bet is to setup ‘Split DNS’
If you read the preamble you know that the DNS response needs to go though the firewall, and the public IP that gets resolved needs to be on your network. This can be either a host on your network with a public IP, or a host in your DMZ that has a public IP (both examples are shown below).
It takes longer to explain what DNS doctoring is, than it does to actually set it up. Essentially you simply add the ‘dns’ keyword to the end of the static nat statement for the internal host to its public address.
Option 1 – DNS Doctoring for a host on your LAN
This is simply a one-to-one static nat with the dns keyword added onto it, so using the example above (on the left), lets take a look at our NATs.
[box]
Petes-ASA# show run nat
!
object network obj_any
nat (inside,outside) dynamic interface
object network Obj-Static-128.65.98.44
nat (inside,outside) static 128.65.98.44
[/box]
You may have a lot more output, but this tells me theres a dynamic NAT for all network traffic (PAT everything to the outside interface dynamically). And a static translation for your internal host, that’s the one we need to add the dns keyword to.
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# object network Obj-Static-128.65.98.44
Petes-ASA(config-network-object)# nat (inside,outside) static 128.65.98.44 dns
Petes-ASA(config-network-object)# exit
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: de650019 1f1583f7 70121512 e1d093e8
15724 bytes copied in 3.430 secs (5241 bytes/sec)
[OK]
Petes-ASA(config)#
[/box]
How Do I Set Up DNS Doctoring In The ASDM?
Testing DNS Doctoring
Heres an example of what happened before we setup DNS doctoring, (or where DNS doctoring is not working).
And once its been configured do the same and note the difference;
Option 2 – Host in the DMZ
The process is identical to above only the NAT stamens is different, i.e.
Note: I’m assuming the object host already exists, if NOT then add the line in BLUE.
Setting up ‘Static NAT’ is the process of taking one of your ‘spare’ public IP addresses, and permanently mapping that public IP to a private IP address on your network.
In the example above I want to give my web sever which has an internal IP address of 192.168.1.10/24, the public IP address of 1.1.1.5/24. So if someone out on the Internet wants to view my website, they can browse to http://1.1.1.5 (or a URL that I’ve pointed to 1.1.1.5 like http://www.mywebsite.com). Then that traffic will be NATTED, on the firewall for me.
Solution
1. Create a rule-set from the ‘untrust’ zone. Then add a rule to that rule-set, that has a destination of 1.1.1.5/32, and finally set it to NAT that traffic to 192.168.1.10/32.
[box]login: root
Password: *******
— JUNOS 12.1X44-D30.4 built 2014-01-11 03:56:31 UTC
[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST from zone untrust
[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 match destination-address 1.1.1.5/32
[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 then static-nat prefix 192.168.1.10/32
[/box]
2. Set the firewall to proxy-arp (advertise your pubic IP address with is MAC address), then add the web server to the global address book.
Note: ge-0/0/0.0 is the physical address you are advertising the new IP address from, on firewalls in a failover cluster you would use the Reth address i.e. reth0.0
[edit]
root@FW-02# set security address-book global address WEB-SERVER 192.168.1.10/32
[/box]
3. Allow traffic OUT from the web server. Here I’m letting out all ports, if you wanted just web traffic then use the keyword junos-http (TCP Port 80 (http)).
[box]
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match source-address WEB-SERVER
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match destination-address any
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match application any
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT then permit
[/box]
4. Then allow traffic IN to the web server, (here I’m locking it down to just http).
[box] [edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match source-address any
[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match destination-address WEB-SERVER
[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match application junos-http
[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN then permit
Juniper Allowing Traffic To Custom Ports And Applications
1. Although Juniper have a lot of built in ‘applications’ you can allow, what if you want to create your own? Below I’ll create a custom application for Remote Desktop Protocol (TCP port 3389).
[box] [edit]
root@FW-A# set applications application APP-RDP protocol tcp
[edit]
root@FW-A# set applications application APP-RDP destination-port 3389
[/box]
2. You could now use this application in your security policies e.g.
I had to set this up for a client this week, I’ve setup a DMZ on a 5505 before and I’ve setup other VLANs to do other jobs, e.g. visitor Internet access. But this client needed a secondary VLAN setting up for IP Phones. In addition I needed to route traffic between both the internal VLANs.
I did an internet search and tried to find some configs I could reverse engineer, the few I found were old (Pre version 8.3) ones and the little info I got were more people in forums asking why theirs did not work. So I built a firewall with 8.2 code, then worked out how to do it, then upgraded the firewall to version 9.1. Finally I picked out the relevant parts of the upgraded config.
Here’s the scenario I’m going to use for this example.
Solution
Before we start, yes I know the ASA is a firewall not a router! A better solution would be to have either a router behind the firewall or, (as is more common) a switch that is layer 3 capable, i.e it can route.
The commands you use will be different if your firewall is running an operating system earlier than 8.3, check your ASA version and proceed to the correct set of commands.
For Firewalls running an Operating System OLDER than 8.3 go here
How to Setup VLAN Routing on an ASA 5505 (Version 8.3 and Newer)
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#
[/box]
2. As in the diagram (above) I have three VLANs, VLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.
Note: I don’t need to Add VLAN 1 to Ethernet 0/1, because all ports are in VLAN 1 by default.
4. Turn on ‘Hair Pinning’ (the ability to route traffic back out of the same interface it came in through) and allow traffic to pass between interfaces.
5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I’m going to use an ACL and allow all traffic anyway.
[box]
Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any
Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any
Petes-ASA(config)# access-group outbound in interface inside
Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112
[/box]
6. Now setup ‘dynamic’ NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTED to the public IP address.
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#
[/box]
2. 2. As in the diagram (above) I have three VLANs, VLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.
Note: I don’t need to Add VLAN 1 to Ethernet 0/1 because all ports are in VLAN 1 by default.
4. Turn on ‘Hair Pinning’ (the ability to route traffic back out of the same interface it came in through). and allow traffic to pass between interfaces.
5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I’m going to use an ACL and allow all traffic anyway.
[box]
Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any
Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any
Petes-ASA(config)# access-group outbound in interface inside
Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112
[/box]
6. Enable NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTED to the public IP address.
“Hello Pete
I have asked our ISP to give us two additional real IP addresses so that we can progress the following two projects:
Microsoft DirectAccess
Publishing documents to a web server from our internal DMS.
{ISP Name} have come back and said that they don’t have the next available numbers in our current IP address range, but they do have two other numbers we could have from another range.
Would that cause any problems with regard to the firewall configuration etc.”
I’ve been asked similar questions before and my answer was always, “No let’s get a bigger range and re-ip the public side of the network”. But I was sat next to my usual font of all routing knowledge Steve, so I asked him what he thought. “It will just work, just NAT the traffic on the ASA, and as long as the ISP has set the routing up properly, the ASA will just proxy-arp the new public IP. We’ve done that for a few clients”.
I’ve not done this before, so before I put my neck on the block, I decided to build it in GNS3 to prove the concept.
Solution
1. I’ve already got a few basic Labs built for testing, here is the one I will use for this.
Note the ‘Host’ is really a router (this will become apparent later on). The ASA has a ‘public’ range of 11.11.11.1/29 this gives me 8 IP addresses (6 usable). Let’s assume we have exhausted all of those. and my ISP has given me 111.111.111.0/24 (generous eh!). I want to allocate 111.111.111.111 publicly to my host, (because I have OCD and it looks nice).
When I’ve finished I will test that it has worked by opening a TELNET session to my host from its outside IP 111.111.111.111.
2. Lets make sure that the host can get to the Internet, and then on the ASA observe what public IP address it’s getting.
[box] On the ‘Host’ Router
InsideHost#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/164/568 ms
InsideHost#
Observe the results on the ASA
Petes-ASA(config)# show xlate
1 in use, 1 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity, T – twice
ICMP PAT from inside:192.168.1.10/0 to outside:11.11.11.6/41745 flags ri idle 0:00:05 timeout 0:00:30
[/box]
3. Connect to the ASA > Allow telnet traffic to the host > Setup a One-to-One static NAT translation to the new public IP.
5. At this point in a live environment you are reliant on your ISP to route those IP addresses to you. Here I’m going to achieve the same by adding a route on the ISP Router, and then (so I can connect to host), putting a static route on my laptop.
6. Now let’s clear the ‘translations’ on the ASA, and repeat the test we did earlier, hopefully the public IP of our internal host should have changed.
[box] On the ASA
Petes-ASA(config)# clear xlate
On the ‘Host’ Router
InsideHost#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/164/568 ms
InsideHost#
Observe the results on the ASA
Petes-ASA(config)# show xlate
1 in use, 1 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity, T – twice
NAT from inside:192.168.1.10 to outside:111.111.111.111
flags s idle 0:00:46 timeout 0:00:00
Petes-ASA(config)#
[/box]
7. Let’s make sure that the correct IP address is being seen, to do that I setup Wireshark to sniff the traffic on the ISP Routers 11.11.11.1 interface.
8. Then if I ping 4.2.2.2 from the internal host, and view the traffic capture, I should see the traffic coming from 111.111.111.111 (NOT 11.11.11.6).
9. Finally I should now be able to telnet from my laptop to the new public IP.
Related Articles, References, Credits, or External Links
I see this question get asked a lot on forums, most people never touch the firewall, ‘if it’s working leave it alone’. And that’s great until you move offices, or get a newer faster (or cheaper) Internet connection.
What if you have lots of public IP addresses? What if you have VPN’s (or AnyConnect clients). What’s the best way to do this with a minimum of downtime?
Note: If you get your all your outside IP details via DHCP, and no one speaks you you from outside (i.e. The ISP always reserves and issues the same IP details to you because you have a mail server or have VPN connections etc). Then you can probably simply plug into the new Router/Modem/Socket and reboot the ASA.
Solution
Time spent on reconnaissance is seldom wasted.
OK lets not run to the comms rack with a laptop and get stuck into the problem, get all your ducks in a row first.
1. Your Current Internet Connection: I know you’re going to turn this off, but if there’s a problem and everything ‘goes to hell in a hand cart’, you might need to connect back to this one in a hurry, (best not to look like a clown because you deleted all those settings and don’t know what they are). As a bare minimum have the following;
IP Address(s) allocated to you from the ISP. (Including the subnet mask and IP of their router if applicable).
Username and Passwords for your Internet Connection (if applicable i.e. for ADSL, PPPoE etc).
The details, of any public DNS records that point to you i.e. The MX records for your email, or URLs for any web services you host etc. If you have a web portal for managing this make sure you can log in. Or if your ISP handles this, get the information on how you can change your host records to point to the new IP address, (i.e. a fax on company headed notepaper, or a call to your account manager etc).
Then ring the old ISP make sure you can log a technical call without having to give them a password, (that everyone’s forgotten), or the only person who they will talk to left the company five years ago. (Get the feeling I’ve done this a lot!)
2. Your New Internet Connection: See everything you did above? get all the same information for the new ISP.
3. Backup: You are only ever as good as your last backup, make sure the ASA is backed up before you start, and backup to TFTP, or via the ASDMNOT by copy pasting the config into Notepad (this tends to hide shared secrets etc).
4. Test The New Internet Connection: I’ve had many a call from a colleague, that they can’t get an ASA working through a new Internet connection. And when I tell then to turn off the ASA and plug their Laptop into the Router/Modem/Socket guess what? Yes, the connection that the salesmen at the ISP said was live, really isn’t!
Warning: Sometimes you find that if you have used the public IP your ISP gave you on your laptop, that when you plug in the ASA it won’t work, (this happens because the router ‘caches’ the MAC address of the Laptop, and get confused when the ASA uses the same IP). So if possible use a different IP for testing, (if you have more than one IP). Or turn the ISP equipment off for a while after testing.
5. Who talks to you? What speaks to the ASA from outside? Do you have a web server, email server, FTP server, public facing service. Do have other offices that connect to you via VPN? Do you have remote workers that connect via VPN/AnyConnect?
5a. What Other Public IP’s Do You Use? You may have covered this in point 5 but now I’m talking about the public IP addresses that are in use but NOT assigned to the outside interface. Typically these are used in what we call static NAT.
If you have other sites with VPNs to you, they will need changing to point to the new public IP address.
Now you’ve read all the above, you have a better appreciation of what you might break, and how much downtime to expect. The outside interface of the ASA is exactly the same as any network connection it needs an IP address, a subnet mask, and a default route (same as default gateway for you Windows types).
Again never assume the outside interface is called ‘outside’, I’ve seen all sorts of naming outside, Outside, Public, WAN etc. You already know the public IP so let’s see what the interface name that’s using it is;
Petes-ASA> enable
Password: ********
Petes-ASA# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0 outside 91.91.91.1 255.255.255.248 CONFIG
GigabitEthernet1 inside 192.168.1.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0 outside 91.91.91.1 255.255.255.248 CONFIG
GigabitEthernet1 inside 192.168.1.1 255.255.255.0 CONFIG
Petes-ASA#
Or on an ASA 5505
Password: ********
Petes-ASA# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG
Vlan2 outside 91.91.91.1 255.255.252.248 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG
Vlan2 outside 91.91.91.1 255.255.252.248 CONFIG
Petes-ASA#
Notice: On smaller ASA's the IP address is allocated to a VLAN, on larger ones the IP
is allocated to a physical interface. Also the 'Method' says 'CONFIG', if it said DHCP
then you are getting these settings dynamically from your ISP.
Now we know out interface name and where the IP address and the subnet mask are. Now we need to locate the default route for the ‘outside’ interface, (or whatever yours is called).
ASA-1# show run route
route outside 0.0.0.0 0.0.0.0 91.91.91.2 1
ASA-1#
Or to get the same information from the routing table;
Petes-ASA# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.2.2.10 to network 0.0.0.0
C 91.91.91.0 255.255.255.248 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 91.91.91.2 outside
Petes-ASA#
Now you know the interface name, you know know its physical name, (GigabitEthernet0, Vlan 2, etc.) You have all the information you need to change the IP address, subnet mask and default route.
Petes-ASA> enable
Password: *********
Petes-ASA# Configure Terminal
Petes-ASA(config)# int gigabitEthernet 0
Petes-ASA(config-if)# ip address 60.60.60.1 255.255.255.240
Petes-ASA(config-if)# exit
You can only have one 'Default route', so you can't just add the new one, (or it will error)
so you need to remove that route, (by prefixing the command with a 'no'). Then add the new
default route in.
Note: If there's a number at the end of the route command, you can leave that off it's just
a routing metric number.
Petes-ASA(config)# no route outside 0.0.0.0 0.0.0.0 91.91.91.2
Petes-ASA(config)# route outside 0.0.0.0 0.0.0.0 60.60.60.2
In the ASDM you go to the same sections you did above, select the interface or route, click edit, then make the change. Note if you are going to use PPPoE read the following article.
Before we look at anything else we need to make sure the ASA has connectivity to the Internet, and THE ASA can ping a public ip address (Note: I said the ASA, not something on your network). I usually ping 8.8.8.8 (Google DNS server) because it always responds.
[box]
User Access Verification
Password: *******
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms
Petes-ASA#
[/box]
If this fails, ensure you can ping your ISP router (default route IP) this should be pretty easy to troubleshoot with the assistance of the ISP.
Once the ASA can connect to the Internet make sure your internal clients can, remember if you are going to use ping to test connectivity though the firewall you need to have ICMP inspection setup see the following article;
If you are performing ‘port forwarding‘ from the outside interface, i.e. taking all SMTP (TCP Port 25) traffic and forwarding it to an internal host, then the firewall should require no further configuration as that should be done from the interface nameNOT the old public IP address.
You can quickly setup port forwarding if it’s stopped by reading the following article;
If you have public IP addresses statically mapped to public IP addresses from your old ISP range then these will need to be changed. here you can see Ive got a static NAT for an internal server;
To do the same in the ASDM, is a little more convoluted you need to check every NAT rule and see if you have one thats type is ‘static’ and has an IP address from your old ISP range, then you can change it accordingly.
Cisco ASA – Migrating VPN’s Post IP Address Change
Site to Site VPN
If you have site to site (IPSEC) VPN’s then these will have gone down when the public IP address changed. If the device at the other end is a Cisco ASA/PIX then follow the advice in the following article;
For remote workers using the older IPSECVPN client, you will need to send them a new PCF file to import into their VPN client with the new IP address in it, (unless they are pointing at your public DNS name, then you simply need to change the IP address that the DNS name points to). PCF files are explained in the following article;
As above if your AnyConnect clients connect directly to a public name like vpn.yourbusiness.com then just change that record to point to the new public IP address. Just be aware if you have set the AnyConnect profile to point to your old IP address, then your remote clients will automatically break themselves every-time they connect and download the profile, change it to the new IP address, or even better a public name/URL.
Dont Forget: Save any changes you have made to the firewall either with a ‘write mem‘ command, or File > Save running configuration to flash, if you’re in the ASDM.
I think I’ve got most stuff covered, if I’ve missed something that’s caused you problems let me know, and I will update this article accordingly (contact link below).
Related Articles, References, Credits, or External Links