Versions Compared

Old Version 12

changes.mady.by.user Adam Melong

Saved on

compared with

New Version Current

changes.mady.by.user Adam Melong

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Note that the Host is the Server INTERNAL IP. When the Layer 4 is triggered, it will then verify against the access list of the translation. Put simply, by defining the host in the nat object translation, it uses that field as a type of "Private key" that links to the next step in the translation process.Opinion: Waste of resources, processing, and mind you logical, absolutely redundant and insecure and exploitable. The access list should be processed first to even figure out if the firewall should process. Once the access list allows, the port translation can continue the process and route accordingly. As of this method, it seems to trigger via NAT (meaning processing the internal IP to outside), and then processing the ACL to allow. Just me? I don't know. I prefer

8.2 and

...

8.2 and Below

  1. Create Server Objects to Translate (Layer 4 Translation)

    Code Block
    object-group service SERVER_Services tcp
 port-object eq 3389
 port-object range 6100 6199
 port-object eq ident
object-group service NETWORK_SERVICES tcp
 group-object SERVER_Services
 group-object SERVER2_Services
 group-object SERVER3_Services
access-list outside_access_in extended permit tcp any host OUTSIDE_IP object-group NETWORK_SERVICES

  2. Create Access List to allow Services to Server (Layer 3 Translation)

    Code Block
    static (inside,outside) tcp interface ident SERVER ident netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 SERVER 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 6103 SERVER 6103 netmask 255.255.255.255 
static (inside,outside) tcp interface 80 SERVER2 80 netmask 255.255.255.255

...

Code Block
ciscoasa# config t
ciscoasa(config)# group-policy POLICY attributes
ciscoasa(config-group-policy)# split-dns value internal.local extenralexternal.com

Troubleshooting

debug ISAKMP SA negotiations

...

Code Block
hostname(config)# copy running-config startup-config

Adding Self Signed Certificates

Via GUI

  1. Open the ASDM and Navigate to the Configuration Button>Click Remote Access VPN (At the bottom)>Drop down Certificate Management>Click Identify Certificates 
    1. Image Added
  2. In the right Pane, click on the Add Button 
    1. Image Added
  3. Name the certificate, Check the "Add a new identity certificate" radial, Add check marks 
    1. Image Added
  4. Afterwards, Navigate to Device Management>Advanced>SSL Settings 
    1. Image Added
  5. From here, remove any Active Algorithms that you do not want, choose the outside interface that you will access the VPN through and click Edit, choose the self-signed certificate in the drop down list for Primary Enrolled Certificate and click OK
    1. Image Added
  6. Apply & Save