Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
4
Helpful
6
Replies

ASA 5500 question

Go to solution
jcarrabine1
Level 1
Level 1

‎12-16-2009 11:54 AM - edited ‎03-11-2019 09:49 AM

Hello,

I'm not really a security guys, but I have a question about the ASA 5500. When you set an outside interface to "0" does that give an explicit deny to access traffic on the inside interface with 100?

If so; to give access do you use access lists to grant protocol/port access to the inside?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
jcarrabine1
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎12-16-2009 12:05 PM

Thank you sir.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-16-2009 12:12 PM 

jcarrabine1 wrote:
Hello,
I'm not really a security guys, but I have a question about the ASA 5500. When you set an outside interface to "0" does that give an  explicit deny to access traffic on the inside interface with 100?
If so; to give access do you use access lists to grant protocol/port access to the inside?

Just to add to Jorge's post.

You don't just need an acl to allow traffic from a lower to higher security interface. You also need to take care of NAT. You cannot use dynamic NAT but you do have 3 options -

1) turn off NAT

2) use a NAT exemption

3) use a static NAT translation

Jon

0 Helpful

Go to solution
jcarrabine1
Level 1
Level 1
In response to Jon Marshall

‎12-16-2009 12:24 PM

can you elaborate more? Obviously turning off NAT will prevent any outside address from aquiring an inside address, and I assume a NAT exemption is used if you have multiple locations and you just use the public address that your provider (or I guess a partners public address) gives you, and the last is basically the same. Am I seeing what you are saying right?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jcarrabine1

‎12-16-2009 01:05 PM 

jcarrabine1 wrote:
can you elaborate more? Obviously turning off NAT will prevent any outside address from aquiring an inside address, and I assume a NAT exemption is used if you have multiple locations and you just use the public address that your provider (or I guess a partners public address) gives you, and the last is basically the same. Am I seeing what you are saying right?

Jeff

If you disable nat-control then you do not need a NAT statement for traffic on a lower security interface to access a device on a higher security interface altho you still need an acl. To be honest i find the docs a little misleading on this one but i do remember when i first tested this on a v7.x pix that you didn't need any statics or nat exemptions just an acl. Quite a shock after pix v6.x code where you didn't have the option to turn off nat so you always had to setup some sort of NAT.

NAT exemptions and static NAT - it's important to understand with Cisco devices that even if you do not want to do NAT you still have to tell the firewall this with a NAT statement (assuming you haven't disabled NAT altogether - see above). This can be somewhat counterintuitive if you come from a different vendor firewall background. So when you do NAT on a Cisco device you may well be presenting the internal address as something else to another interface but even if you just want the internal addresses to be accessible to another lower security interface without changing the actual address you still need a NAT statement. I know, it really doesn't make a lot of sense sometimes


You do this by using either a static NAT or a NAT exemption. So lets say you want to allow access to internal addressing of 192.168.5.0/24 from the outside and from any address and you want the outside to be able to connect to these internal devices using the 192.168.5.x addressing. (Note in a real world internet scenario 192.168.5.x would have to be changed to something else to route on the internet but this is just an example)

static NAT

========

static (inside,outside) 192.168.5.0 192.168.5.0  netmask 255.255.255.0

NAT exemptiom

============

access-list NATEX permit ip any 192.168.5.0 255.255.255.0

nat (inside) 0 access-list NATEX

both of the above will allow any device on the outside to initiate a connection to a 192.168.5.x device on the inside. Obviously you still need to allow access with an acl as well.

Jon

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to Jon Marshall

‎12-16-2009 02:11 PM

As usual Jon ... oustanding answers my friend..

incidently  .. I was reading a post yesterday  in routing  you've answer along with Giuseppe  which I am now looking into EEM/tcl  ios feature, wanted to give it a 5 but could not find a way..  happy holidays ..!

Jorge

PS: Now I see ratings  but pressed 4 instead of 5 on this one... my error

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card