Create NAT rule and security policies for port 443/80 on a Cisco ASA 5510

Solution 1

Since this is your first time with firewall I am mentioning extra configuration which will help you in learning / debugging about ASA configuration

interface FastEthernet 0/0
    nameif outside
    security-level 0
    ip address <outside_ip_firewall> <outside netmask>
interface FastEthernet 0/1
    nameif inside
    security-level 100
    ip address <inside_ip_firewall> <inside netmask>

access-list allow_everything permit tcp any any
access-list allow_everything permit udp any any
access-list allow_everything permit icmp any an 
access-group allow_everything in interface inside
access-group allow_everything out interface inside
access-group allow_everything in interface outside
access-group allow_everything out interface outside

route inside 10.0.0.0 255.0.0.0 <inside_gateway>
route inside 172.16.0.0 255.240.0.0 <inside_gateway>
route inside 192.168.0.0 255.255.0.0 <inside_gateway>
route outside 0.0.0.0 0.0.0.0 <outside_gateway>

telnet 10.0.0.0 255.0.0.0 inside
telnet 172.16.0.0 255.240.0.0 inside
telnet 192.168.0.0 255.255.0.0 inside

You can add logging to help you with debugging using

logging enable
logging timestamp
logging permit-hostdown
logging host inside <syslog server ip> udp/514
logging trap notifications
logging console 3
logging from-address asa@<your-domain>
logging mail 3
logging recipient-address <your email id> level errors
smtp-server <smtp server 1 ip> <smtp server 2 ip>

The syslog server should listen on UDP port 514 for syslog messages from firewall. These are helpful in debugging problems while experimenting with firewall before deployed for production.

Is is exremely unsecure configuration of firewall as telnet is enabled and that too from all inside IPs. Also everything is being allowed. The idea is to help you test NAT configuration without worrying about ACLs.

Now to forward connections to port 80 for outside interface of ASA to some server use

static (inside, outside) tcp interface 80 <inside server ip> 80 netmask 255.255.255.255 tcp 1000 100 udp 100

Similarly for 443 use

static (inside, outside) tcp interface 80 <inside server ip> 443 netmask 255.255.255.255 tcp 1000 100 udp 100

Once you are comfortable with NAT, go for having inside, outside and DMZ and configure restrictive ACL to allow only relevant traffic.

There are also other types of NAT / PAT you can configure in ASA.

Solution 2

It looks like this hasn't been responded to in a while, but I'll try and explain what we have on our 5510.

First, I've heard there are problems that crop up if you only have one external/public IP address. You have to do some extra configuration and I'm not sure what that is. I'll assume you have at least two and one of them is the firewall's external IP. We'll use an available one below.

In ASDM, go Configuration -> Firewall -> NAT Rules

Click Add -> Add Static NAT Rule

• Original -> Interface: inside
• Original -> Source: [internal IP address]
• Translated -> Interface: outside
• Translated -> Use IP Address: [unused public IP address]
• Port Address Translation -> Enable Port Address Translation
• Port Address Translation -> Protocol: TCP
• Port Address Translation -> Original Port: http
• Port Address Translation -> Translated Port: http

Click OK. You can add another rule for https/443 once you're sure http/80 is working.

Next is a part that got me mixed up when I first got my 5510 so make sure you know which things to put where.

Go to Access Rules (ASDM -> Configuration -> Firewall -> Access Rules)

Add -> Add Access Rule

• Interface: outside (not inside)
• Action: Permit
• Source: any
• Destination: [the same public IP address from above] (not the internal IP)
• Service: tcp/http, tcp/https

Click OK

That should be it. I believe the idea is you allow security access to the external/public IP, then NAT does the translation if the security rule permits.

Solution 3

Using the web interface (ASDM):

1. Add a Static NAT Rule. Go to Configuration -> NAT. Click Add then "Add Static NAT rule". Put in your internal IP information under Real Address, and your external IP information under Static Translation. Check off "Enable PAT" and put in 80 (or 443).

2. Modify the Security Policy to Allow Traffic. Go to Configuration -> Security Policy. Click Add and create a rule that permits incoming traffic from the outside interface (source any) to the internal IP address (specifying the port).

Related videos on Youtube