Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16333
Views
0
Helpful
6
Replies

Allow traffic through Outside - Inside ASA-5505

mattias
Level 1
Level 1

‎03-16-2010 06:31 AM - edited ‎03-11-2019 10:22 AM

Hi!

I been thinking quite a long time over this and i hope anyone here could help out.

Is it possible to "route" traffic through outside interface and depending on what ip adress you are coming from you are directed to a specific ip on the inside? I know how it works when using PAT but now it is rather a question of just let traffic flow directly to inside adress without any questions asked or rules depending of what ip you have when on the outside.

The Asa only has one ipadress assigned (ouside). I think if i had more ip adresses on the outside i could map the traffic more easy.

Also...i´m a beginner at Cisco FW =)

Regards

Mattias

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-16-2010 06:39 AM

Hi,

Normally to allow traffic from a lower-security interface to a higher-security interface you need a STATIC NAT and an ACL allowing the traffic.

So, as long as there a static translation for a host and an ACL permiting the traffic, you can come from the outside and access any host on the inside.

When you say that depending on what address you're coming from, to be redirected to an specific ip on the inside, you mean using the outside IP of the ASA to redirect traffic based on ports?

For example, you can use the outside public IP of the ASA to redirect traffic to several internal hosts depending on the destination port of the connection.

I supposed you can use Policy NAT to specify where to go depending on the IP you're coming from.

Take a look:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html

Federico.

0 Helpful

mattias
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-16-2010 06:58 AM

Hi!

From outside i want to allow traffic to inside depending of what ip you are originating from.

Lets say FW Outside IP is 10.10.10.10

Inside is 192.168.0.0.

Example:Ip adresses that i want to get "full access" to internal ip is

Ouside ip 12.12.12.20 forwarded to 192.168.0.20

12.12.12.21 forwarded to 192.168.0.21

12.12.12.22 forwarded to 192.168.0.22

Is this possible to do`?  NAT by using source 12.12.12.20 and destination 192.168.0.20 service ANY?

Regards

Mattias

0 Helpful

samuelpetrescu
Level 1
Level 1
In response to mattias

‎03-16-2010 07:13 AM

Hi,

static (inside,outside) 12.12.12.21  192.168.0.21 netmask 255.255.255.255

static (inside,outside) 12.12.12.22  192.168.0.22 netmask 255.255.255.255

access-list outside_in extended permit ip host 10.10.10.10 host 12.12.12.21

access-list outside_in extended permit ip host 10.10.10.10 host 12.12.12.22

access-group outside_in in interface outside

Samuel Petrescu

0 Helpful

mattias
Level 1
Level 1

‎03-16-2010 07:42 AM

Hi again!

Thanks i will try this. I looks a bit backward to me (Cisco logic?!) but is the 12.12.12.20 (21) adress an outside adress equal to orginating adress that i tried to explain? Lan inside should be 192.168.0.21 (22). Correct?

Regards,

Mattias

0 Helpful

samuelpetrescu
Level 1
Level 1
In response to mattias

‎03-16-2010 07:52 AM

Hi again,

Ip addresses 192.168.0.21  and 192.168.0.22 are inside addresses

Ip addresses  12.12.12.21   and  12.12.12.21 are outside addresses (usually public IP's)

Ip addresses 10.10.10.10 is an outside address where traffic was originated from.

Example, allow only outside host 10.10.10.10 to access internal hosts 192.168.0.21 and 192.168.0.22.

Samuel Petrescu

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to mattias

‎03-16-2010 07:52 AM

In the example by Samuel...

static (inside,outside) 12.12.12.21  192.168.0.21 netmask 255.255.255.255
static (inside,outside) 12.12.12.22  192.168.0.22 netmask 255.255.255.255

access-list outside_in extended permit ip host 10.10.10.10 host 12.12.12.21
access-list outside_in extended permit ip host 10.10.10.10 host 12.12.12.22
access-group outside_in in interface outside

Outside NATed address: 12.12.12.21 for inside local 192.168.0.21
Outside NATed address: 12.12.12.22 for inside local 192.168.0.22


Then, the ACL allows IP from outside host 10.10.10.10 to both NATed addresses.

I don't think this is the redirection that you're asking, but is a valid configuration.


When outside 10.10.10.10 wants to access 12.12.12.21 it will be redirected to 192.168.0.21
On the other hand, when the same 10.10.10.10 wants to access 12.12.12.22 it will be redirected to
192.168.0.22

Let me know if this will work for you.

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card