12-16-2009 11:54 AM - edited 03-11-2019 09:49 AM
Hello,
I'm not really a security guys, but I have a question about the ASA 5500. When you set an outside interface to "0" does that give an explicit deny to access traffic on the inside interface with 100?
If so; to give access do you use access lists to grant protocol/port access to the inside?
Solved! Go to Solution.
12-16-2009 11:59 AM
That is correct..
See
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml
Regards
12-16-2009 11:59 AM
That is correct..
See
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml
Regards
12-16-2009 12:05 PM
Thank you sir.
12-16-2009 12:12 PM
jcarrabine1 wrote:
Hello,
I'm not really a security guys, but I have a question about the ASA 5500. When you set an outside interface to "0" does that give an explicit deny to access traffic on the inside interface with 100?
If so; to give access do you use access lists to grant protocol/port access to the inside?
Just to add to Jorge's post.
You don't just need an acl to allow traffic from a lower to higher security interface. You also need to take care of NAT. You cannot use dynamic NAT but you do have 3 options -
1) turn off NAT
2) use a NAT exemption
3) use a static NAT translation
Jon
12-16-2009 12:24 PM
can you elaborate more? Obviously turning off NAT will prevent any outside address from aquiring an inside address, and I assume a NAT exemption is used if you have multiple locations and you just use the public address that your provider (or I guess a partners public address) gives you, and the last is basically the same. Am I seeing what you are saying right?
12-16-2009 01:05 PM
jcarrabine1 wrote:
can you elaborate more? Obviously turning off NAT will prevent any outside address from aquiring an inside address, and I assume a NAT exemption is used if you have multiple locations and you just use the public address that your provider (or I guess a partners public address) gives you, and the last is basically the same. Am I seeing what you are saying right?
Jeff
If you disable nat-control then you do not need a NAT statement for traffic on a lower security interface to access a device on a higher security interface altho you still need an acl. To be honest i find the docs a little misleading on this one but i do remember when i first tested this on a v7.x pix that you didn't need any statics or nat exemptions just an acl. Quite a shock after pix v6.x code where you didn't have the option to turn off nat so you always had to setup some sort of NAT.
NAT exemptions and static NAT - it's important to understand with Cisco devices that even if you do not want to do NAT you still have to tell the firewall this with a NAT statement (assuming you haven't disabled NAT altogether - see above). This can be somewhat counterintuitive if you come from a different vendor firewall background. So when you do NAT on a Cisco device you may well be presenting the internal address as something else to another interface but even if you just want the internal addresses to be accessible to another lower security interface without changing the actual address you still need a NAT statement. I know, it really doesn't make a lot of sense sometimes
You do this by using either a static NAT or a NAT exemption. So lets say you want to allow access to internal addressing of 192.168.5.0/24 from the outside and from any address and you want the outside to be able to connect to these internal devices using the 192.168.5.x addressing. (Note in a real world internet scenario 192.168.5.x would have to be changed to something else to route on the internet but this is just an example)
static NAT
========
static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
NAT exemptiom
============
access-list NATEX permit ip any 192.168.5.0 255.255.255.0
nat (inside) 0 access-list NATEX
both of the above will allow any device on the outside to initiate a connection to a 192.168.5.x device on the inside. Obviously you still need to allow access with an acl as well.
Jon
12-16-2009 02:11 PM
As usual Jon ... oustanding answers my friend..
incidently .. I was reading a post yesterday in routing you've answer along with Giuseppe which I am now looking into EEM/tcl ios feature, wanted to give it a 5 but could not find a way.. happy holidays ..!
Jorge
PS: Now I see ratings but pressed 4 instead of 5 on this one... my error
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide