cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
513
Views
5
Helpful
4
Replies

Access through the firewall

jacobs_son
Level 1
Level 1

Hi there, Im having problems connecting through an ASA from one interface to another.  Here's the relevant bits of my config:

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 192.168.20.1 255.255.255.0

!
interface GigabitEthernet0/1
vlan 2
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.0.0
!
interface GigabitEthernet0/2
vlan 3
nameif DMZ
security-level 50
ip address 10.11.1.1 255.255.0.0

access-list DMZ_access_in permit ip any any

access-group DMZ_access_in in interface DMZ

nat (DMZ) 1 10.11.0.0 255.255.0.0
global(DMZ) 1 interface

I realise I shouldnt be letting all access through from the DMZ, but this config is there just for testing purposes.. However, I can get to anywhere out of the Outisde interface fine from the DMZ, but cannot access anything on the inside interface. I was pretty sure that the security levels only came in to play if there was no access list exemption in place.

Why is it that I can't access the inside interface? Would I need identity nat or no nat configured for the 10.11 range going to the inside network?

Thanks in advance.

James

2 Accepted Solutions

Accepted Solutions

Kureli Sankar
Cisco Employee
Cisco Employee

nat (DMZ) 1 10.11.0.0 255.255.0.0
global(DMZ) 1 interface

What is the purpose of the global above?

You need static translation to go from inside to dmz. Only then dmz can initiate connection to the inside. You also need acls allowing this applied this on the dmz as the dmz is of lower security level than the inside.

give this a shot

static (inside,dmz) 10.10.1.0  10.10.1.0 net 255.255.0.0

where 10.10.1.0 255.255.0.0 is your inside network

then apply access-list to allow the dmz network to access the inside network and apply that on the dmz interface with the access-g command. Make sure to allow them to go to the internet as well or that traffic will break.

-KS

View solution in original post

Hi James,

There is a catch here .... when nat-control is not enabled but you nat traffic for interface then all traffic traversing that interface must match a translation rule or it is dropped. You need static identity nat because it allows you to create both inbound and outbound connections. With dynamic nat inbound connections which are connections originating from lower security-level interface to higher security-level interface are not possible. So to DMZ to initiate traffic to Inside interface you will need to configure static identity nat.

HTH,

Zeeshan Sanaullah

View solution in original post

4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee

nat (DMZ) 1 10.11.0.0 255.255.0.0
global(DMZ) 1 interface

What is the purpose of the global above?

You need static translation to go from inside to dmz. Only then dmz can initiate connection to the inside. You also need acls allowing this applied this on the dmz as the dmz is of lower security level than the inside.

give this a shot

static (inside,dmz) 10.10.1.0  10.10.1.0 net 255.255.0.0

where 10.10.1.0 255.255.0.0 is your inside network

then apply access-list to allow the dmz network to access the inside network and apply that on the dmz interface with the access-g command. Make sure to allow them to go to the internet as well or that traffic will break.

-KS

Hi, thanks for the reply.

I already have the access-list entry for the DMZ interface (shown above, applied as ip any any).

The purpose of the global was to PAT everything behind the DMZ interface to the interface IP. So all traffic coming out of the DMZ would be translated to the interface IP.

Can you please let me know why I need the identity NAT statement to traverse from DMZ to inside? I thought a NAT statement was only required if nat-control was enabled? Or is that only if going from a high to low security address?

Thanks again.

James

Hi James,

There is a catch here .... when nat-control is not enabled but you nat traffic for interface then all traffic traversing that interface must match a translation rule or it is dropped. You need static identity nat because it allows you to create both inbound and outbound connections. With dynamic nat inbound connections which are connections originating from lower security-level interface to higher security-level interface are not possible. So to DMZ to initiate traffic to Inside interface you will need to configure static identity nat.

HTH,

Zeeshan Sanaullah

Zeeshan Sanaullah is correct. That is the reason I had given you static identity.  If the inside hides behind a PAT pool then, the DMZ cannot initiate traffic to the inside hosts.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: