Hello, New to ASA
trying to understand how to allow traffic for specific host from LAN to outside.
* Desktop 192.168.3.80 which needs tcp port 999 to download internation newspaper using secured application.
* Desktop 192.168.3.88 which gets stocks update,I donno what ports it needs? how&What to allow.
* Finance Desktop 192.168.5.7 traffic to send outside on port 6919 to get bank updates using customized application.
My ASA is production, so scared to fiddle with it:-)
My ASA Configuration
ip address 184.108.40.206 255.255.255.224
ip address 192.168.1.100 255.255.255.0
access-list ACL_OUT2IN extended permit tcp any host 220.127.116.11 eq smtp
access-list ACL_OUT2IN extended permit tcp any host 18.104.22.168 eq https
access-list ACL_IN2OUT extended permit tcp any host 192.168.2.25 eq smtp
access-list ACL_IN2OUT extended permit tcp any host 192.168.2.26 eq https
global (OUTSIDE) 2 interface
nat (INSIDE) 2 192.168.2.5 255.255.255.255
static (INSIDE,OUTSIDE) 22.214.171.124 192.168.2.25 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 126.96.36.199 192.168.2.26 netmask 255.255.255.255
access-group ACL_OUT2IN in interface OUTSIDE
access-group ACL_IN2OUT in interface INSIDE
Router ospf 2
network 192.168.1.0 255.255.255.0 area 0
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
Logging matches just means you can log what has been allowed anytime the rule within the acl has been matched. See the ASA config guide if you need to setup logging.
"If I do NAT and dont allow on inside ACL it will not send traffic outside, do you ment this."
Exactly. But you could just as easily setup your NAT as
nat (inside) 1 192.168.3.80 255.255.255.255
nat (inside) 1 192.168.3.88 255.255.255.255
nat (inside) 1 192.168.5.7 255.255.255.255
global (outside) 1 outside
"What is different between Static-NAT and NAT statment you added, I am totally confused on this????? "
Yes NAT can be confusing on Cisco devices. There is a lot to know but put simply
static NAT is used when the connection can come from either way eg.
static (inside,outside) 188.8.131.52 10.10.10.1 netmask 255.255.255.255
1) that when the inside host with an IP of 10.10.10.1 sends out traffic to the outside of the ASA the source address is translated from 10.10.10.1 ro 184.108.40.206
and it also means
2) that when a device on the outside sends traffic to the address of 220.127.116.11 this address is then changed to 10.10.10.1 and sent to the inside host
With a static command the connection can be initiated from either the inside host to outside or from the outside to the inside host.
With the NAT commands i supplied if the internal devices connect to devices on the Internet then they will be translated to the outside IP address of the ASA.
BUT - if the connection is initiated from the Internet it won't work because the ASA does not know which inside address to translate to.
Note that it is all to do with which side initiated the connection. If the inside device initiates a connection to the outside using the NAT commands i supplied then a NAT entry is built on the firewall so the return traffic will get back to the right client.
In simpler terms - statics are used when you need to allow access both ways, access in terms of who initiates the connections.
Dynamic NAT is good for inside to outside connections or more specifically one way initiation.
It is a bit more complex than this and there are still some exceptions to what i have written but that is an overall general rule.