Cisco ASA 5505

I had a Watchguard firewall die on me at my small business and I have a Cisco ASA 5505 lying around, so I'm trying to get it configured to at least restore my network.

I have 5 usable public static IP addresses, but only using 3 of them. On the Watchguard I would configure my External Interface with 1 of the addresses, then for the remaining 2 I would just have aliases for them. I'm not sure if I can do that with this firewall?

The static addresses besides the external address is for my web server & exchange server. I want to assign the www address to the internal web server ip & the same for the exchange server.

Can anyone help? Thanks!

Cisco works rather differently compared to a lot of other firewalls. In the Cisco realm, you need to make sure Proxy-ARP is enabled on the WAN interface, and then just create a NAT rule for the public IP to the intended internal IP. The ASA will automatically pick it up as an IP it will respond as since it has a NAT rule present. It does this via proxy-arp instead of interface bindings.

Thanks for the reply! A couple of questions, if you don't mind.

1. How can I tell if Proxy-ARP is enabled or not?
2. I've tried setting up NAT to external to internal server, but seeing some errors...e.g. For Exchange Server I used:

static (inside,outside) External IP Address Internal IP Address
Then:
access-list OUTSIDE_IN extended permit tcp any host External IP address eq 25

Would the above be correct to route mail internally?

Thanks!

If proxy arp is disabled you will see the command 'no proxy arp' in the interface config

Also for the firewall rule, use the inside address. The firewall will apply nat rules first, then check the access lists

This doesn't use Proxy-ARP, but this is how I would do it with one to one NAT:


I think you will need additional rules other than for port 25, no? Also make sure your NAT rules are in the proper order.

Thanks for the help guys!!! I got the ASA 5505 up and running on the network except for one thing and I'm not sure how to do it with this Cisco router.

In my internal network I have a Barracuda Spam Firewall & my internal Exchange Server.

I need my external mail IP to go to internal Barracuda Spam firewall port 25, then I need external mail IP to also go to my internal exchange on port 443, so people can connect to exchange via OWA.

On my old Watchguard firewall I was able to do this in policy manager, but when I try to add the static NAT rule on the ASA, I get an error that says:

"This operation will modify the static NAT rule. The modified static NAT rule cannot be configured."

So, does anyone know how I can accomplish this on the ASA 5505? Thanks, again for you help!

Two ways to do this I guess, one is to use another public IP and then modify DNS records:

Point the MX record to the external IP of the Spam firewall

Point the A (or CNAME) record to the external IP of exchange.

You would need an additional NAT rule and definitions for the second IP

Second way would be to use the "service" modifier on the NAT rule along with defining a second network object that points at the same IP. I've never done this in production so this is just my guess on how it would work. Note that you will have to remove the 1:1 NAT rule you may have created previously. Also note that configuration may vary based on what version of ASA FW you are running. I believe that there is big differences between 8.x and 9.x - the example below should work in ASA 9.x

Thanks, for the help. I was able to get it working.

Nice. Did my method work?