ASA 7.2 - Configuring static commands for Internet-bound traffic

limtohsoon · ‎04-03-2007

Hi Sir,

I'm configuring an ASA 7.2 to allow a kiosk machine segment (security-level 45) to access to Internet via enterprise network (security-level 90). ASA config as follows:

!

interface GigabitEthernet0/0

nameif dmz_kiosk

security-level 45

ip address 172.16.45.1 255.255.255.0

!

interface GigabitEthernet0/0

nameif dmz_enterprise

security-level 90

ip address 172.16.90.2 255.255.255.0

!

route dmz_enterprise 0.0.0.0 0.0.0.0 172.16.90.1 1

!

access-list TEST extended permit ip any any

access-group TEST in interface dmz_kiosk

nat-control

!

The ASA is also configured to perform DHCP relay for clients connected to the kiosk segment.

The kiosk machines will need to access to Internet. My issue is, I'm unsure how to define the static commands to allow the proper NAT translation for the clients since their destinations are public IP addresses. I've tried:

static (dmz_enterprise,dmz_kiosk) 0 0 netmask 0.0.0.0

However, this command has the following negative effects:

(1) Disrupts the operation of DHCP relay.

(2) Disrupts ARP activities on the kiosk segment. The ASA will answer all ARP requests on that segment, causing issue to client-to-client communication on that segment.

Please advise.

Thank you.

B.Rgds,

Lim TS

David White · ‎04-03-2007

Hi Lim,

for #1, it's a bug - CSCsh55107 However it is not yet resolved.

For #2, that is as-designed. But, you can disable it using the command:

sysopt noproxyarp dmz_kiosk

However, I highly recommend you modify your configuration to do one of the following:

a) the Internet facing interface should be 'less' secure than the kiosk interface. Therefore the security level of the kiosk interface should be higher than that of the internet interface. Assuming this is not possible because both the enterprise and internet exist off the same interface, then see b)

b) remove the static, and disable nat-control:

no nat-control

with nat-control disabled you no longer need the static for hosts to get from the kiosk to the internet.

c) Least suggested of all the options) set the kiosk interface to the same security level as the internet interface, and nat is also not required so you can get rid of the static, but still have nat-control on if you want.

Hope it helps,

David.

PS> If this resolves your problem, please ensure you click the box to let us know.

limtohsoon · ‎04-03-2007

Hi David,

The bug CSCsh55107 exactly matches my scenario! I'm using Interim Release 7.2(2)18 but the issue still persists. It may be that Cisco has not resolved it.

The command "sysopt noproxyarp dmz_kiosk" does help. From my Ethereal trace, I only see the ARP reply coming from the actual host. Previously without the command, the ASA also proxy ARP and I saw two ARP replies.

It's not possible to swap the security level between the two interfaces because the kiosk are considered less secure to the enterprise network.

I tried your workaround (b) but received the error message "%ASA-3-305005: No translation group found for...".

My workaround is, I removed that static command and then configured the following static commands (based on first-octet rule of IP address):

static (dmz_enterprise,dmz_kiosk) 0.0.0.0 0.0.0.0 netmask 128.0.0.0 ==> covers whole Class A range

static (dmz_enterprise,dmz_kiosk) 128.0.0.0 128.0.0.0 netmask 192.0.0.0 ==> covers whole Class B range

static (dmz_enterprise,dmz_kiosk) 192.0.0.0 192.0.0.0 netmask 224.0.0.0 ==> covers whole Class C range

What's your opinion? Let me know if you have a better workaround.

Thank you.

B.Rgds,

Lim TS

David White · ‎04-04-2007

Hi Lim,

Correct CSCsh55107 is *NOT* fixed. It is still being worked on.

As to the comment that (b) did not work, are you sure you disabled nat-control after removing the statics? ie: issue the command

no nat-control

in global config mode (Note: you _may_ need to also issue a "clear xlate" after if it doesn't work).

The 305005 syslog tells me that nat-control is still enabled.

Again, doing the above is by far your best option. However, the other workaround you did with the static will also work, but is not optimal in this case.

Sincerely,

David.

limtohsoon · ‎04-04-2007

Hi David,

I'm very sure I removed nat-control using command "no nat-control" and then removed the static 0 0 command. It's also my habit to do clear xlate whenever I change NAT rules.

Can you try it in your lab?

I'm going to deploy the ASA to production network in one hours time. Wish me luck.

Thank you.

B.Rgds,

Lim TS

David White · ‎04-04-2007

Hi Lim,

I didn't have time to set it up today, but I do know it works. I've done it many times :-) Is it possible you were leaving out other parts of your config (like other nat/static rules)? Because that would impact the solution.

Anyway, let us know how it goes.

Sincerely,

David.