RE: Cisco ASA question
Remember even with the Egress filtering you are looking to do outbound, it could be an internal compromised host or account that is using your legitimate email servers to send the email out, but I would drop and log all other traffic from trust to untrust on port 25 and eliminate the hosts. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: Tom Miller [mailto:tmil...@sfgtrust.com] Sent: Tuesday, January 08, 2013 10:54 AM To: NT System Admin Issues Subject: Cisco ASA question Hi Folks, At a new job here. I have a few Cisco ASA. One of them, an ASA 5510, seems to be not very strict on outbound rules. I'm new to ASA (came from the Fortinet world), so any advice on setting up outbound rules? In particular we've been on spamhaus and I think there is an internal machine sending out smtp messages. Short term solution would be to restrict out smtp to our mail servers only. On the ASA | Configuration | Access Rules, I created an inside à outside rule. Traffic from mail server out, smtp, permit. Other rule has traffic as deny. This does not seem correct, even me being new to ASA. Suggestions appreciated, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Cisco ASA question
Great thanks. I did that at my last gig. I'm amazed at the config but am working to tighten things. New to ASA so it's a little slow going. Apologies for my ignorance here. Under access rules, I see Outside, and those rules are limited and seem correct. Then I see Inside (incoming) with a few rules, and another Inside (outgoing) with a few rules. What's the difference? From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, January 08, 2013 11:00 AM To: NT System Admin Issues Subject: RE: Cisco ASA question Short term solution would be to restrict out smtp to our mail servers only. I think all networks should do that all the time. We do as do most others folks that I know. Basically you should see in order: Inside to outside allow smpt from your mail server. Inside to outside deny smtp from any Cisco reads them in order and stops on the first matching rule. So in the above your email server would get an allow. A desktop would not qualify on that first rule so it would move to the second rule and get denied. So if I am reading your description right I think your rules are ok. Send us the rules in order if you want. Feel free to mask the ip addresses if you want. From: Tom Miller [mailto:tmil...@sfgtrust.com] Sent: Tuesday, January 08, 2013 10:56 AM To: NT System Admin Issues Subject: Cisco ASA question Hi Folks, At a new job here. I have a few Cisco ASA. One of them, an ASA 5510, seems to be not very strict on outbound rules. I'm new to ASA (came from the Fortinet world), so any advice on setting up outbound rules? In particular we've been on spamhaus and I think there is an internal machine sending out smtp messages. Short term solution would be to restrict out smtp to our mail servers only. On the ASA | Configuration | Access Rules, I created an inside -- outside rule. Traffic from mail server out, smtp, permit. Other rule has traffic as deny. This does not seem correct, even me being new to ASA. Suggestions appreciated, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Cisco ASA question
Looks right to me, both in sequence and content [1]. - You're allowing SMTP from specific host(s). Correct. Not so much a 'best practice' ptooey as a must-do. - Next, you're denying SMTP from anything else. Also correct. - Implied, but must exist, is the Deny Any Any at the end. You'd be surprised how many people forget that. An aside: this is a great forum with an abundance of expertise in many areas. That said, a google search on Cisco Forums / Cisco Community / Cisco support forum will give you a much more focused target audience. Not that you won't get great answers here, as you will. Pat [1]. CCNP. Also, full disclosure and disclaimer: I am an employee of Cisco Systems. Opinions expressed, however, are mine alone and not that of Cisco. On Tue, Jan 8, 2013 at 10:54 AM, Tom Miller tmil...@sfgtrust.com wrote: Hi Folks, ** ** At a new job here. I have a few Cisco ASA. One of them, an ASA 5510, seems to be not very strict on outbound rules. I’m new to ASA (came from the Fortinet world), so any advice on setting up outbound rules? In particular we’ve been on spamhaus and I think there is an internal machine sending out smtp messages. Short term solution would be to restrict out smtp to our mail servers only. ** ** On the ASA | Configuration | Access Rules, I created an inside à outside rule. Traffic from mail server out, smtp, permit. Other rule has traffic as deny. This does not seem correct, even me being new to ASA. ** ** Suggestions appreciated, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Cisco ASA question
*and* I'd recommend checking SMTP relay on internal mail server. Is it allowing internal systems to relay smtp traffic instead of smtp direct ? Just another loophole that might need to be tightened. in most cases, *if* internal smtp relay is required, usually limited to a specific group of 'authorized' systems and not open to entire internal subnets. On Tue, Jan 8, 2013 at 11:14 AM, Ziots, Edward ezi...@lifespan.org wrote: Remember even with the Egress filtering you are looking to do outbound, it could be an internal compromised host or account that is using your legitimate email servers to send the email out, but I would drop and log all other traffic from trust to untrust on port 25 and eliminate the hosts. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: Tom Miller [mailto:tmil...@sfgtrust.com] Sent: Tuesday, January 08, 2013 10:54 AM To: NT System Admin Issues Subject: Cisco ASA question Hi Folks, At a new job here. I have a few Cisco ASA. One of them, an ASA 5510, seems to be not very strict on outbound rules. I’m new to ASA (came from the Fortinet world), so any advice on setting up outbound rules? In particular we’ve been on spamhaus and I think there is an internal machine sending out smtp messages. Short term solution would be to restrict out smtp to our mail servers only. On the ASA | Configuration | Access Rules, I created an inside à outside rule. Traffic from mail server out, smtp, permit. Other rule has traffic as deny. This does not seem correct, even me being new to ASA. Suggestions appreciated, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Cisco ASA question
I had the direction incorrect! Thanks for the help folks, Relay only by exemption on the mail servers, though. From: Patrick Salmon [mailto:psal...@gmail.com] Sent: Tuesday, January 08, 2013 11:21 AM To: NT System Admin Issues Subject: Re: Cisco ASA question Looks right to me, both in sequence and content [1]. - You're allowing SMTP from specific host(s). Correct. Not so much a 'best practice' ptooey as a must-do. - Next, you're denying SMTP from anything else. Also correct. - Implied, but must exist, is the Deny Any Any at the end. You'd be surprised how many people forget that. An aside: this is a great forum with an abundance of expertise in many areas. That said, a google search on Cisco Forums / Cisco Community / Cisco support forum will give you a much more focused target audience. Not that you won't get great answers here, as you will. Pat [1]. CCNP. Also, full disclosure and disclaimer: I am an employee of Cisco Systems. Opinions expressed, however, are mine alone and not that of Cisco. On Tue, Jan 8, 2013 at 10:54 AM, Tom Miller tmil...@sfgtrust.commailto:tmil...@sfgtrust.com wrote: Hi Folks, At a new job here. I have a few Cisco ASA. One of them, an ASA 5510, seems to be not very strict on outbound rules. I'm new to ASA (came from the Fortinet world), so any advice on setting up outbound rules? In particular we've been on spamhaus and I think there is an internal machine sending out smtp messages. Short term solution would be to restrict out smtp to our mail servers only. On the ASA | Configuration | Access Rules, I created an inside -- outside rule. Traffic from mail server out, smtp, permit. Other rule has traffic as deny. This does not seem correct, even me being new to ASA. Suggestions appreciated, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Cisco ASA question
Folks, I have a new job and they use Cisco ASA firewalls here. I'm new to Cisco firewalls so I'm still learning. Under Remote Access VPN -- AAA/Local User --- AAA Server groups, I have a few Windows 2000 servers that are DCs listed here. Those are going to be retired and I need to point this to 2008 R2 servers. Can anyone tell me which roles/features on a Windows 2008 R2 server I need to install/configure to be used by the ASA? Thanks, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Cisco ASA question
Check the Windows 2000 DCs listed; they are likely running IAS. On 2008+ that’s Network Policy Server. DAMIEN SOLODOW Systems Engineer 317.447.6033 (office) 317.447.6014 (fax) HARRISON COLLEGE From: Tom Miller [mailto:tmil...@sfgtrust.com] Sent: Tuesday, November 13, 2012 10:59 AM To: NT System Admin Issues Subject: Cisco ASA question Folks, I have a new job and they use Cisco ASA firewalls here. I'm new to Cisco firewalls so I'm still learning. Under Remote Access VPN -- AAA/Local User --- AAA Server groups, I have a few Windows 2000 servers that are DCs listed here. Those are going to be retired and I need to point this to 2008 R2 servers. Can anyone tell me which roles/features on a Windows 2008 R2 server I need to install/configure to be used by the ASA? Thanks, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Cisco ASA question
Nothing that I know of, just change the IP's to point to your new DC's. That's all I had to do. From: Tom Miller [mailto:tmil...@sfgtrust.com] Sent: Tuesday, November 13, 2012 9:59 AM To: NT System Admin Issues Subject: Cisco ASA question Folks, I have a new job and they use Cisco ASA firewalls here. I'm new to Cisco firewalls so I'm still learning. Under Remote Access VPN -- AAA/Local User --- AAA Server groups, I have a few Windows 2000 servers that are DCs listed here. Those are going to be retired and I need to point this to 2008 R2 servers. Can anyone tell me which roles/features on a Windows 2008 R2 server I need to install/configure to be used by the ASA? Thanks, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Cisco ASA question
Are you using Radius or NT Domain? From: N Parr [mailto:npar...@mortonind.com] Sent: Tuesday, November 13, 2012 11:28 AM To: NT System Admin Issues Subject: RE: Cisco ASA question Nothing that I know of, just change the IP's to point to your new DC's. That's all I had to do. From: Tom Miller [mailto:tmil...@sfgtrust.com] Sent: Tuesday, November 13, 2012 9:59 AM To: NT System Admin Issues Subject: Cisco ASA question Folks, I have a new job and they use Cisco ASA firewalls here. I'm new to Cisco firewalls so I'm still learning. Under Remote Access VPN -- AAA/Local User --- AAA Server groups, I have a few Windows 2000 servers that are DCs listed here. Those are going to be retired and I need to point this to 2008 R2 servers. Can anyone tell me which roles/features on a Windows 2008 R2 server I need to install/configure to be used by the ASA? Thanks, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Cisco ASA question
If you’re just using it so their AD credentials are being referenced for AnyConnect/etc, it’s just a matter of changing the IPs in ASDM … highlight the AAA server group on the top that contains those old DCs and then add the new ones down below in the ‘servers in the selected group’ section (presuming you’re using NT Domain protocol). They’ve got a bloody convenient ‘test’ button out to the right side of that section, to make sure it flies. From: Tom Miller [mailto:tmil...@sfgtrust.com] Sent: Tuesday, November 13, 2012 10:59 AM To: NT System Admin Issues Subject: Cisco ASA question Folks, I have a new job and they use Cisco ASA firewalls here. I'm new to Cisco firewalls so I'm still learning. Under Remote Access VPN -- AAA/Local User --- AAA Server groups, I have a few Windows 2000 servers that are DCs listed here. Those are going to be retired and I need to point this to 2008 R2 servers. Can anyone tell me which roles/features on a Windows 2008 R2 server I need to install/configure to be used by the ASA? Thanks, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Cisco ASA question
Last time I set one of these up it was NPS and another part under that. There was some arcane coding I had to do but that was more than 3 years ago so maybe Cisco fixed it by now. Sorry I changed jobs and no longer have ready access to the rules I had setup. I could look thru my old backups and see if I can find it but Damien is on the right track. Jon From: damien.solo...@harrison.edu To: ntsysadmin@lyris.sunbelt-software.com Subject: RE: Cisco ASA question Date: Tue, 13 Nov 2012 16:14:14 + Check the Windows 2000 DCs listed; they are likely running IAS. On 2008+ that’s Network Policy Server. DAMIEN SOLODOW Systems Engineer 317.447.6033 (office) 317.447.6014 (fax) HARRISON COLLEGE From: Tom Miller [mailto:tmil...@sfgtrust.com] Sent: Tuesday, November 13, 2012 10:59 AM To: NT System Admin Issues Subject: Cisco ASA question Folks, I have a new job and they use Cisco ASA firewalls here. I'm new to Cisco firewalls so I'm still learning. Under Remote Access VPN -- AAA/Local User --- AAA Server groups, I have a few Windows 2000 servers that are DCs listed here. Those are going to be retired and I need to point this to 2008 R2 servers. Can anyone tell me which roles/features on a Windows 2008 R2 server I need to install/configure to be used by the ASA? Thanks, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Cisco ASA Question/IIS Question
You can use a certificate with SAN (Subject Alternate Name) field set. IIS has supported both wildcard certs (*.domain.tld in the CN field) and SAN certs (CN=host.domain.tld and SAN set to host.otherdomain.tld) since II6 You need to use the same cert for all sites sharing the IP address, hence all DNS names need to be in the same domain (wildcard) or you need to define all hosts in the SAN field. Cheers Ken From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Wednesday, 16 June 2010 1:13 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question +1 on SSL needs On Tue, Jun 15, 2010 at 1:10 PM, Richard Stovall rich...@gmail.commailto:rich...@gmail.com wrote: The only caveat I can think of is if you ever need to do SSL on more than one of the sites. You'll need different IPs in this case since the host header is encrypted. You can solve the translation problem by adding a second internal IP to the server. On Tue, Jun 15, 2010 at 11:42 AM, Kennedy, Jim kennedy...@elyriaschools.orgmailto:kennedy...@elyriaschools.org wrote: Yep, it will work exactly like your internal host header set up. From: Chyka, Robert [mailto:bch...@medaille.edumailto:bch...@medaille.edu] Sent: Tuesday, June 15, 2010 11:41 AM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question Hi Jim, So I would just need 1 nat translation on the asa with port 80 open and 2 entries with our public dns server with 2 different hostnames pointing to the same public ip and then the headers will function fine? From: Kennedy, Jim [mailto:kennedy...@elyriaschools.orgmailto:kennedy...@elyriaschools.org] Sent: Tuesday, June 15, 2010 11:38 AM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question That would work. However I would just use the same IP for both publically and let the host header take care of it. From: Candee Vaglica [mailto:can...@gmail.commailto:can...@gmail.com] Sent: Tuesday, June 15, 2010 11:35 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question I *think* you would need a second public IP address. then you would do a one to one with the second public server and the internal website. On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert bch...@medaille.edumailto:bch...@medaille.edu wrote: Ok here my scenario: I have 2 websites on a Windows Server 2008 box with IIS7. We are using one IP address for both sites using host headers. On our internal AD DNS we have an entry in for both hostnames pointing to the same IP address (A records). For our first site we have a one-to-one NAT translation on our ASA with port 80 open on the ACL. My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? We want to be able to have 2 different public ips translated out from the 2 websites. Thanks for the help and input. BOb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Cisco ASA Question/IIS Question
Would a SAN cert serve up different content in the same way you can have multiple sites on the same port and IP using host header names? On Wed, Jun 16, 2010 at 9:40 AM, Ken Schaefer k...@adopenstatic.com wrote: You can use a certificate with SAN (Subject Alternate Name) field set. IIS has supported both wildcard certs (*.domain.tld in the CN field) and SAN certs (CN=host.domain.tld and SAN set to host.otherdomain.tld) since II6 You need to use the same cert for all sites sharing the IP address, hence all DNS names need to be in the same domain (wildcard) or you need to define all hosts in the SAN field. Cheers Ken *From:* Erik Goldoff [mailto:egold...@gmail.com] *Sent:* Wednesday, 16 June 2010 1:13 AM *To:* NT System Admin Issues *Subject:* Re: Cisco ASA Question/IIS Question +1 on SSL needs On Tue, Jun 15, 2010 at 1:10 PM, Richard Stovall rich...@gmail.com wrote: The only caveat I can think of is if you ever need to do SSL on more than one of the sites. You'll need different IPs in this case since the host header is encrypted. You can solve the translation problem by adding a second internal IP to the server. On Tue, Jun 15, 2010 at 11:42 AM, Kennedy, Jim kennedy...@elyriaschools.org wrote: Yep, it will work exactly like your internal host header set up. *From:* Chyka, Robert [mailto:bch...@medaille.edu] *Sent:* Tuesday, June 15, 2010 11:41 AM *To:* NT System Admin Issues *Subject:* RE: Cisco ASA Question/IIS Question Hi Jim, So I would just need 1 nat translation on the asa with port 80 open and 2 entries with our public dns server with 2 different hostnames pointing to the same public ip and then the headers will function fine? *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org] *Sent:* Tuesday, June 15, 2010 11:38 AM *To:* NT System Admin Issues *Subject:* RE: Cisco ASA Question/IIS Question That would work. However I would just use the same IP for both publically and let the host header take care of it. *From:* Candee Vaglica [mailto:can...@gmail.com] *Sent:* Tuesday, June 15, 2010 11:35 AM *To:* NT System Admin Issues *Subject:* Re: Cisco ASA Question/IIS Question I *think* you would need a second public IP address. then you would do a one to one with the second public server and the internal website. On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert bch...@medaille.edu wrote: Ok here my scenario: I have 2 websites on a Windows Server 2008 box with IIS7. We are using one IP address for both sites using host headers. On our internal AD DNS we have an entry in for both hostnames pointing to the same IP address (A records). For our first site we have a one-to-one NAT translation on our ASA with port 80 open on the ACL. My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? We want to be able to have 2 different public ips translated out from the 2 websites. Thanks for the help and input. BOb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Cisco ASA Question/IIS Question
Your 2 options: are: a) SAN certs b) Separate IP numbers and SSL certificates IIS does not yet support TLS SNI (http://en.wikipedia.org/wiki/Server_Name_Indication) and won't until Windows Server 8 (or whatever the next major version will be called) at the earliest. Downside to SAN certs: each time you add to the list of web sites covered by the certificate you need to buy a new certificate. On 6/16/2010 8:47 AM, Chyka, Robert wrote: So I want to add a SSL cert to both sites. I would look at SAN certs? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Cisco ASA Question/IIS Question
This has been a very informative thread. The following may be useful when setting things up if you're running IIS 7. There is a link for IIS 6 and Apache as well. http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html On Wed, Jun 16, 2010 at 11:04 AM, Chyka, Robert bch...@medaille.edu wrote: Who do you recommend for SAN certs? I think that is the way I am going to go. Thanks! -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Wednesday, June 16, 2010 11:03 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question Your 2 options: are: a) SAN certs b) Separate IP numbers and SSL certificates IIS does not yet support TLS SNI (http://en.wikipedia.org/wiki/Server_Name_Indication) and won't until Windows Server 8 (or whatever the next major version will be called) at the earliest. Downside to SAN certs: each time you add to the list of web sites covered by the certificate you need to buy a new certificate. On 6/16/2010 8:47 AM, Chyka, Robert wrote: So I want to add a SSL cert to both sites. I would look at SAN certs? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question/IIS Question
Yes. The caveat is that all sites on that IP address/port combination need to use the same cert. that way, IIS doesn't need access to the host header first - it just uses the one certificate. After decryption, it can then get access to the HOST header value, and route the request to the appropriate website. Cheers Ken From: Richard Stovall [mailto:rich...@gmail.com] Sent: Wednesday, 16 June 2010 9:46 PM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question Would a SAN cert serve up different content in the same way you can have multiple sites on the same port and IP using host header names? On Wed, Jun 16, 2010 at 9:40 AM, Ken Schaefer k...@adopenstatic.commailto:k...@adopenstatic.com wrote: You can use a certificate with SAN (Subject Alternate Name) field set. IIS has supported both wildcard certs (*.domain.tld in the CN field) and SAN certs (CN=host.domain.tld and SAN set to host.otherdomain.tld) since II6 You need to use the same cert for all sites sharing the IP address, hence all DNS names need to be in the same domain (wildcard) or you need to define all hosts in the SAN field. Cheers Ken From: Erik Goldoff [mailto:egold...@gmail.commailto:egold...@gmail.com] Sent: Wednesday, 16 June 2010 1:13 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question +1 on SSL needs On Tue, Jun 15, 2010 at 1:10 PM, Richard Stovall rich...@gmail.commailto:rich...@gmail.com wrote: The only caveat I can think of is if you ever need to do SSL on more than one of the sites. You'll need different IPs in this case since the host header is encrypted. You can solve the translation problem by adding a second internal IP to the server. On Tue, Jun 15, 2010 at 11:42 AM, Kennedy, Jim kennedy...@elyriaschools.orgmailto:kennedy...@elyriaschools.org wrote: Yep, it will work exactly like your internal host header set up. From: Chyka, Robert [mailto:bch...@medaille.edumailto:bch...@medaille.edu] Sent: Tuesday, June 15, 2010 11:41 AM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question Hi Jim, So I would just need 1 nat translation on the asa with port 80 open and 2 entries with our public dns server with 2 different hostnames pointing to the same public ip and then the headers will function fine? From: Kennedy, Jim [mailto:kennedy...@elyriaschools.orgmailto:kennedy...@elyriaschools.org] Sent: Tuesday, June 15, 2010 11:38 AM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question That would work. However I would just use the same IP for both publically and let the host header take care of it. From: Candee Vaglica [mailto:can...@gmail.commailto:can...@gmail.com] Sent: Tuesday, June 15, 2010 11:35 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question I *think* you would need a second public IP address. then you would do a one to one with the second public server and the internal website. On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert bch...@medaille.edumailto:bch...@medaille.edu wrote: Ok here my scenario: I have 2 websites on a Windows Server 2008 box with IIS7. We are using one IP address for both sites using host headers. On our internal AD DNS we have an entry in for both hostnames pointing to the same IP address (A records). For our first site we have a one-to-one NAT translation on our ASA with port 80 open on the ACL. My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? We want to be able to have 2 different public ips translated out from the 2 websites. Thanks for the help and input. BOb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question/IIS Question
I've personally used Digicert, and they seem to be fine. I think a few other people have used certificatesforexchange.com Cheers Ken -Original Message- From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, 16 June 2010 11:05 PM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question Who do you recommend for SAN certs? I think that is the way I am going to go. Thanks! -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Wednesday, June 16, 2010 11:03 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question Your 2 options: are: a) SAN certs b) Separate IP numbers and SSL certificates IIS does not yet support TLS SNI (http://en.wikipedia.org/wiki/Server_Name_Indication) and won't until Windows Server 8 (or whatever the next major version will be called) at the earliest. Downside to SAN certs: each time you add to the list of web sites covered by the certificate you need to buy a new certificate. On 6/16/2010 8:47 AM, Chyka, Robert wrote: So I want to add a SSL cert to both sites. I would look at SAN certs? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question/IIS Question
Thanks for your insight Ken.. Bob -Original Message- From: Ken Schaefer k...@adopenstatic.com Sent: Wednesday, June 16, 2010 10:14 PM To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: RE: Cisco ASA Question/IIS Question I've personally used Digicert, and they seem to be fine. I think a few other people have used certificatesforexchange.com Cheers Ken -Original Message- From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, 16 June 2010 11:05 PM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question Who do you recommend for SAN certs? I think that is the way I am going to go. Thanks! -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Wednesday, June 16, 2010 11:03 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question Your 2 options: are: a) SAN certs b) Separate IP numbers and SSL certificates IIS does not yet support TLS SNI (http://en.wikipedia.org/wiki/Server_Name_Indication) and won't until Windows Server 8 (or whatever the next major version will be called) at the earliest. Downside to SAN certs: each time you add to the list of web sites covered by the certificate you need to buy a new certificate. On 6/16/2010 8:47 AM, Chyka, Robert wrote: So I want to add a SSL cert to both sites. I would look at SAN certs? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question/IIS Question
I'd also go with DigiCert. They have good pricing, a really easy to use website and fantastic customer service. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, June 16, 2010 9:18 PM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question Thanks for your insight Ken.. Bob -Original Message- From: Ken Schaefer k...@adopenstatic.com Sent: Wednesday, June 16, 2010 10:14 PM To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: RE: Cisco ASA Question/IIS Question I've personally used Digicert, and they seem to be fine. I think a few other people have used certificatesforexchange.com Cheers Ken -Original Message- From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, 16 June 2010 11:05 PM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question Who do you recommend for SAN certs? I think that is the way I am going to go. Thanks! -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Wednesday, June 16, 2010 11:03 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question Your 2 options: are: a) SAN certs b) Separate IP numbers and SSL certificates IIS does not yet support TLS SNI (http://en.wikipedia.org/wiki/Server_Name_Indication) and won't until Windows Server 8 (or whatever the next major version will be called) at the earliest. Downside to SAN certs: each time you add to the list of web sites covered by the certificate you need to buy a new certificate. On 6/16/2010 8:47 AM, Chyka, Robert wrote: So I want to add a SSL cert to both sites. I would look at SAN certs? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Cisco ASA Question/IIS Question
Ok here my scenario: I have 2 websites on a Windows Server 2008 box with IIS7. We are using one IP address for both sites using host headers. On our internal AD DNS we have an entry in for both hostnames pointing to the same IP address (A records). For our first site we have a one-to-one NAT translation on our ASA with port 80 open on the ACL. My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? We want to be able to have 2 different public ips translated out from the 2 websites. Thanks for the help and input. BOb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Cisco ASA Question/IIS Question
I *think* you would need a second public IP address. then you would do a one to one with the second public server and the internal website. On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert bch...@medaille.edu wrote: Ok here my scenario: I have 2 websites on a Windows Server 2008 box with IIS7. We are using one IP address for both sites using host headers. On our internal AD DNS we have an entry in for both hostnames pointing to the same IP address (A records). For our first site we have a one-to-one NAT translation on our ASA with port 80 open on the ACL. My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? We want to be able to have 2 different public ips translated out from the 2 websites. Thanks for the help and input. BOb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question/IIS Question
That would work. However I would just use the same IP for both publically and let the host header take care of it. From: Candee Vaglica [mailto:can...@gmail.com] Sent: Tuesday, June 15, 2010 11:35 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question I *think* you would need a second public IP address. then you would do a one to one with the second public server and the internal website. On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert bch...@medaille.edumailto:bch...@medaille.edu wrote: Ok here my scenario: I have 2 websites on a Windows Server 2008 box with IIS7. We are using one IP address for both sites using host headers. On our internal AD DNS we have an entry in for both hostnames pointing to the same IP address (A records). For our first site we have a one-to-one NAT translation on our ASA with port 80 open on the ACL. My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? We want to be able to have 2 different public ips translated out from the 2 websites. Thanks for the help and input. BOb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question/IIS Question
Hi Jim, So I would just need 1 nat translation on the asa with port 80 open and 2 entries with our public dns server with 2 different hostnames pointing to the same public ip and then the headers will function fine? From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, June 15, 2010 11:38 AM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question That would work. However I would just use the same IP for both publically and let the host header take care of it. From: Candee Vaglica [mailto:can...@gmail.com] Sent: Tuesday, June 15, 2010 11:35 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question I *think* you would need a second public IP address. then you would do a one to one with the second public server and the internal website. On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert bch...@medaille.edu wrote: Ok here my scenario: I have 2 websites on a Windows Server 2008 box with IIS7. We are using one IP address for both sites using host headers. On our internal AD DNS we have an entry in for both hostnames pointing to the same IP address (A records). For our first site we have a one-to-one NAT translation on our ASA with port 80 open on the ACL. My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? We want to be able to have 2 different public ips translated out from the 2 websites. Thanks for the help and input. BOb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question/IIS Question
Yep, it will work exactly like your internal host header set up. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Tuesday, June 15, 2010 11:41 AM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question Hi Jim, So I would just need 1 nat translation on the asa with port 80 open and 2 entries with our public dns server with 2 different hostnames pointing to the same public ip and then the headers will function fine? From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, June 15, 2010 11:38 AM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question That would work. However I would just use the same IP for both publically and let the host header take care of it. From: Candee Vaglica [mailto:can...@gmail.com] Sent: Tuesday, June 15, 2010 11:35 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question I *think* you would need a second public IP address. then you would do a one to one with the second public server and the internal website. On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert bch...@medaille.edumailto:bch...@medaille.edu wrote: Ok here my scenario: I have 2 websites on a Windows Server 2008 box with IIS7. We are using one IP address for both sites using host headers. On our internal AD DNS we have an entry in for both hostnames pointing to the same IP address (A records). For our first site we have a one-to-one NAT translation on our ASA with port 80 open on the ACL. My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? We want to be able to have 2 different public ips translated out from the 2 websites. Thanks for the help and input. BOb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question/IIS Question
Nice. I will give that a shot. Thanks.. From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, June 15, 2010 11:42 AM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question Yep, it will work exactly like your internal host header set up. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Tuesday, June 15, 2010 11:41 AM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question Hi Jim, So I would just need 1 nat translation on the asa with port 80 open and 2 entries with our public dns server with 2 different hostnames pointing to the same public ip and then the headers will function fine? From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, June 15, 2010 11:38 AM To: NT System Admin Issues Subject: RE: Cisco ASA Question/IIS Question That would work. However I would just use the same IP for both publically and let the host header take care of it. From: Candee Vaglica [mailto:can...@gmail.com] Sent: Tuesday, June 15, 2010 11:35 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question/IIS Question I *think* you would need a second public IP address. then you would do a one to one with the second public server and the internal website. On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert bch...@medaille.edu wrote: Ok here my scenario: I have 2 websites on a Windows Server 2008 box with IIS7. We are using one IP address for both sites using host headers. On our internal AD DNS we have an entry in for both hostnames pointing to the same IP address (A records). For our first site we have a one-to-one NAT translation on our ASA with port 80 open on the ACL. My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? We want to be able to have 2 different public ips translated out from the 2 websites. Thanks for the help and input. BOb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Cisco ASA Question/IIS Question
+1 use same IPs for public like you do internal, let host header mechanism sort it out at the IIS server level. On Tue, Jun 15, 2010 at 11:42 AM, Kennedy, Jim kennedy...@elyriaschools.org wrote: Yep, it will work exactly like your internal host header set up. *From:* Chyka, Robert [mailto:bch...@medaille.edu] *Sent:* Tuesday, June 15, 2010 11:41 AM *To:* NT System Admin Issues *Subject:* RE: Cisco ASA Question/IIS Question Hi Jim, So I would just need 1 nat translation on the asa with port 80 open and 2 entries with our public dns server with 2 different hostnames pointing to the same public ip and then the headers will function fine? *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org] *Sent:* Tuesday, June 15, 2010 11:38 AM *To:* NT System Admin Issues *Subject:* RE: Cisco ASA Question/IIS Question That would work. However I would just use the same IP for both publically and let the host header take care of it. *From:* Candee Vaglica [mailto:can...@gmail.com] *Sent:* Tuesday, June 15, 2010 11:35 AM *To:* NT System Admin Issues *Subject:* Re: Cisco ASA Question/IIS Question I *think* you would need a second public IP address. then you would do a one to one with the second public server and the internal website. On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert bch...@medaille.edu wrote: Ok here my scenario: I have 2 websites on a Windows Server 2008 box with IIS7. We are using one IP address for both sites using host headers. On our internal AD DNS we have an entry in for both hostnames pointing to the same IP address (A records). For our first site we have a one-to-one NAT translation on our ASA with port 80 open on the ACL. My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? We want to be able to have 2 different public ips translated out from the 2 websites. Thanks for the help and input. BOb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Cisco ASA Question/IIS Question
+1 on SSL needs On Tue, Jun 15, 2010 at 1:10 PM, Richard Stovall rich...@gmail.com wrote: The only caveat I can think of is if you ever need to do SSL on more than one of the sites. You'll need different IPs in this case since the host header is encrypted. You can solve the translation problem by adding a second internal IP to the server. On Tue, Jun 15, 2010 at 11:42 AM, Kennedy, Jim kennedy...@elyriaschools.org wrote: Yep, it will work exactly like your internal host header set up. *From:* Chyka, Robert [mailto:bch...@medaille.edu] *Sent:* Tuesday, June 15, 2010 11:41 AM *To:* NT System Admin Issues *Subject:* RE: Cisco ASA Question/IIS Question Hi Jim, So I would just need 1 nat translation on the asa with port 80 open and 2 entries with our public dns server with 2 different hostnames pointing to the same public ip and then the headers will function fine? *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org] *Sent:* Tuesday, June 15, 2010 11:38 AM *To:* NT System Admin Issues *Subject:* RE: Cisco ASA Question/IIS Question That would work. However I would just use the same IP for both publically and let the host header take care of it. *From:* Candee Vaglica [mailto:can...@gmail.com] *Sent:* Tuesday, June 15, 2010 11:35 AM *To:* NT System Admin Issues *Subject:* Re: Cisco ASA Question/IIS Question I *think* you would need a second public IP address. then you would do a one to one with the second public server and the internal website. On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert bch...@medaille.edu wrote: Ok here my scenario: I have 2 websites on a Windows Server 2008 box with IIS7. We are using one IP address for both sites using host headers. On our internal AD DNS we have an entry in for both hostnames pointing to the same IP address (A records). For our first site we have a one-to-one NAT translation on our ASA with port 80 open on the ACL. My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? We want to be able to have 2 different public ips translated out from the 2 websites. Thanks for the help and input. BOb ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Cisco ASA Question/IIS Question
On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert bch...@medaille.edu wrote: My question is: How do I do another one to one NAT translation with a different public IP address so I can register both sites with our public DNS provider? Sounds like you already got the right answer (just use one IP address on the public side), but a bit of explanation about the why behind it: One-to-one static NAT means the NAT device translates an IP address on one side to a different address on the other side. Nothing else -- it doesn't keep state. So you can't put two one-to-one NATs using the same IP address on the private side, because the NAT device would have no way of knowing which public IP address a given packet is associated with. If you had to do two public IP addresses with one private IP address, you would have to do some kind of stateful translation on the NAT device. Different implementations call this different things, such as dynamic NAT or port forwarding or NAPT (network address/port translation) or PAT, etc.. I don't know what Cisco calls it. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Cisco ASA Question
Hi all, Working on a Cisco ASA 5505, trying to get to a machine on the inside interface via SSH from a machine on the outside interface. I can SSH to the ASA itself, but can't figure out how to get to a host behind it. I tried all kinds of ACL's, no joy. Any suggestions for a ASA noob? Thanks all! *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 2 : 814.375.4005 *: jckel...@drmc.org mailto:jckel...@drmc.org *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question
I'm not familiar with the ASA devices, but are you creating a VPN tunnel through the device first? I would think you would need to do that to access resources on the internal network. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 _ From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Friday, February 27, 2009 9:42 AM To: NT System Admin Issues Subject: Cisco ASA Question Hi all, Working on a Cisco ASA 5505, trying to get to a machine on the inside interface via SSH from a machine on the outside interface. I can SSH to the ASA itself, but can't figure out how to get to a host behind it. I tried all kinds of ACL's, no joy. Any suggestions for a ASA noob? Thanks all! *** John C. Kelsey DuBois Regional Medical Center *: 814.375.3073 * : 814.375.4005 *:mailto:jckel...@drmc.org jckel...@drmc.org *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question
No VPN. I thought I could just do port forwarding, but apparently I can't. *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 *: jckel...@drmc.org mailto:jckel...@drmc.org *** -Original Message- From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Friday, February 27, 2009 09:48 To: NT System Admin Issues Subject: RE: Cisco ASA Question I'm not familiar with the ASA devices, but are you creating a VPN tunnel through the device first? I would think you would need to do that to access resources on the internal network. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Friday, February 27, 2009 9:42 AM To: NT System Admin Issues Subject: Cisco ASA Question Hi all, Working on a Cisco ASA 5505, trying to get to a machine on the inside interface via SSH from a machine on the outside interface. I can SSH to the ASA itself, but can't figure out how to get to a host behind it. I tried all kinds of ACL's, no joy. Any suggestions for a ASA noob? Thanks all! *** John C. Kelsey DuBois Regional Medical Center *: 814.375.3073 * : 814.375.4005 *: jckel...@drmc.org mailto:jckel...@drmc.org *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Cisco ASA Question
You can I think do the port forwarding but I don't know how. I have a stack of books on the ASA that I am only just getting to read. I have to find out about the port 80 filtering first (the reason I spent for the books). Jon On Fri, Feb 27, 2009 at 9:53 AM, Kelsey, John jckel...@drmc.org wrote: No VPN. I thought I could just do port forwarding, but apparently I can't. *** *John C. Kelsey *DuBois Regional Medical Center (: 814.375.3073 *: jckel...@drmc.org *** -Original Message- *From:* Christopher Bodnar [mailto:christopher_bod...@glic.com] *Sent:* Friday, February 27, 2009 09:48 *To:* NT System Admin Issues *Subject:* RE: Cisco ASA Question I’m not familiar with the ASA devices, but are you creating a VPN tunnel through the device first? I would think you would need to do that to access resources on the internal network. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 -- *From:* Kelsey, John [mailto:jckel...@drmc.org] *Sent:* Friday, February 27, 2009 9:42 AM *To:* NT System Admin Issues *Subject:* Cisco ASA Question Hi all, Working on a Cisco ASA 5505, trying to get to a machine on the inside interface via SSH from a machine on the outside interface. I can SSH to the ASA itself, but can't figure out how to get to a host behind it. I tried all kinds of ACL's, no joy. Any suggestions for a ASA noob? Thanks all! *** *John C. Kelsey* DuBois Regional Medical Center (: 814.375.3073 2 : 814.375.4005 *: jckel...@drmc.org *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. -- *This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. * This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question
1.1.1.1= Outside IP Address 192.168.1.1 = Inside Host IP Address Asa(config)# static (inside,outside) tcp 1.1.1.1 22 192.168.1.1 22 netmask 255.255.255.255 0 0 Asa(config)# access-list OUTSIDE_ACCESS_IN permit tcp any host 1.1.1.1 eq 22 Asa(config)# access-group OUTSIDE_ACCESS_IN in interface outside Hope this helps, Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com mailto:dwiss...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, February 27, 2009 10:10 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question You can I think do the port forwarding but I don't know how. I have a stack of books on the ASA that I am only just getting to read. I have to find out about the port 80 filtering first (the reason I spent for the books). Jon On Fri, Feb 27, 2009 at 9:53 AM, Kelsey, John jckel...@drmc.org wrote: No VPN. I thought I could just do port forwarding, but apparently I can't. *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 *: jckel...@drmc.org mailto:jckel...@drmc.org *** -Original Message- From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Friday, February 27, 2009 09:48 To: NT System Admin Issues Subject: RE: Cisco ASA Question I'm not familiar with the ASA devices, but are you creating a VPN tunnel through the device first? I would think you would need to do that to access resources on the internal network. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Friday, February 27, 2009 9:42 AM To: NT System Admin Issues Subject: Cisco ASA Question Hi all, Working on a Cisco ASA 5505, trying to get to a machine on the inside interface via SSH from a machine on the outside interface. I can SSH to the ASA itself, but can't figure out how to get to a host behind it. I tried all kinds of ACL's, no joy. Any suggestions for a ASA noob? Thanks all! *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 2 : 814.375.4005 *: jckel...@drmc.org mailto:jckel...@drmc.org *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Cisco ASA Question
Amateur! ;-) From: Rohyans, Aaron [mailto:arohy...@dpsciences.com] Sent: Friday, February 27, 2009 10:31 AM To: NT System Admin Issues Subject: RE: Cisco ASA Question 1.1.1.1= Outside IP Address 192.168.1.1 = Inside Host IP Address Asa(config)# static (inside,outside) tcp 1.1.1.1 22 192.168.1.1 22 netmask 255.255.255.255 0 0 Asa(config)# access-list OUTSIDE_ACCESS_IN permit tcp any host 1.1.1.1 eq 22 Asa(config)# access-group OUTSIDE_ACCESS_IN in interface outside Hope this helps, Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.commailto:dwiss...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, February 27, 2009 10:10 AM To: NT System Admin Issues Subject: Re: Cisco ASA Question You can I think do the port forwarding but I don't know how. I have a stack of books on the ASA that I am only just getting to read. I have to find out about the port 80 filtering first (the reason I spent for the books). Jon On Fri, Feb 27, 2009 at 9:53 AM, Kelsey, John jckel...@drmc.orgmailto:jckel...@drmc.org wrote: No VPN. I thought I could just do port forwarding, but apparently I can't. *** John C. Kelsey DuBois Regional Medical Center *: 814.375.3073 *: jckel...@drmc.orgmailto:jckel...@drmc.org *** -Original Message- From: Christopher Bodnar [mailto:christopher_bod...@glic.commailto:christopher_bod...@glic.com] Sent: Friday, February 27, 2009 09:48 To: NT System Admin Issues Subject: RE: Cisco ASA Question I'm not familiar with the ASA devices, but are you creating a VPN tunnel through the device first? I would think you would need to do that to access resources on the internal network. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: Kelsey, John [mailto:jckel...@drmc.orgmailto:jckel...@drmc.org] Sent: Friday, February 27, 2009 9:42 AM To: NT System Admin Issues Subject: Cisco ASA Question Hi all, Working on a Cisco ASA 5505, trying to get to a machine on the inside interface via SSH from a machine on the outside interface. I can SSH to the ASA itself, but can't figure out how to get to a host behind it. I tried all kinds of ACL's, no joy. Any suggestions for a ASA noob? Thanks all! *** John C. Kelsey DuBois Regional Medical Center *: 814.375.3073 * : 814.375.4005 *: jckel...@drmc.orgmailto:jckel...@drmc.org *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~