Need an explanation for this Static NAT Rule

Answered Question
Apr 3rd, 2010
User Badges:

Here is my network


outside (0)

inside (100)

dmz (90)

wifi (80)


dmz-network 192.168.100.0/24

wifi-network 192.168.2.0/24

inside-network 192.168.0.0/24


I just implemented wifi within the last week. I did not configure this ASA originally.


The original configuration included this static rule to permit traffic from inside <-> dmz



static (inside,dmz) dmz-network inside-network netmask 255.255.255.0


and this works just fine.


When I implemented wifi, I just assumed that another static rule would be required to allow inside <-> wifi


static (inside,wifi) wifi-network inside-network netmask 255.255.255.0


this does not work. It causes a "Land Attack" when trying to connect from the inside -> wifi.


Now, I do not want wifi users to be able to access inside, so a bidirectional static nat rule is definitely not the answer, I'm just curious why a Static rule is not working in this case. I'm new to ASA's and I'm still learning.


This command works:

static (inside,wifi) inside-network inside-network netmask 255.255.255.0


This command does not work:

static (inside,wifi) wifi-network inside-network netmask 255.255.255.0


Why?


I went with a NAT Exempt rule:


access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 wifi-network 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound


If I understand NAT Exemption, the above commands will only permit a connection that originated from inside, which is what I want. I do not want a connection between inside <-> wifi to be able to originate from wifi as this would be a huge security vulnerability in my setup.


Thanks


Edit:



Result of the command: "show running-config"


: Saved

:

ASA Version 8.2(1)

!

hostname CoreFW

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.100.0 dmz-network

name 192.168.0.0 inside-network

name xxx.xxx.xxx.0 outside-network

name 192.168.2.0 wifi-network

name 192.168.10.0 vpn01-network

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

interface Vlan3

nameif dmz

security-level 90

ip address 192.168.100.1 255.255.255.0

!

interface Vlan4

nameif wifi

security-level 80

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 4

!

interface Ethernet0/7

switchport access vlan 3

!

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list bcc_splitTunnelAcl standard permit inside-network 255.255.255.0

access-list bcc_splitTunnelAcl standard permit wifi-network 255.255.255.0

access-list bcc_splitTunnelAcl standard permit dmz-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn01-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 wifi-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 dmz-network 255.255.255.0

access-list dmz_nat0_outbound extended permit ip dmz-network 255.255.255.0 vpn01-network 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu wifi 1500

ip local pool VPNPool01 192.168.10.10-192.168.10.100 mask 255.255.255.0

ip verify reverse-path interface outside

ip audit name Attack attack action alarm drop reset

ip audit name Info attack action alarm

ip audit interface outside Attack

ip audit attack action alarm drop reset

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz) 1 0.0.0.0 0.0.0.0

nat (wifi) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 66.0.180.41 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http inside-network 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map wifi_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map wifi_map interface wifi

crypto isakmp enable outside

crypto isakmp enable wifi

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet inside-network 255.255.255.0 inside

telnet timeout 5

ssh inside-network 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

dhcpd lease 43200

dhcpd domain bcc.local

!

dhcpd address 192.168.0.101-192.168.0.199 inside

dhcpd enable inside

!

dhcpd address 192.168.2.101-192.168.2.199 wifi

dhcpd enable wifi

!


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec webvpn

group-policy bcc internal

group-policy bcc attributes

dns-server value xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

vpn-tunnel-protocol IPSec svc

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value bcc_splitTunnelAcl

default-domain value bcc.local

username sandy password hGIma.uniTOo2clx encrypted privilege 0

username sandy attributes

vpn-group-policy bcc

service-type remote-access

username admin password BWYVzIli.IEQNFZZ encrypted privilege 15

username chris password gTVs7SPJe.kfQ8G2 encrypted privilege 15

username jackie password eU4hdFAO+96mPOPTDfiuQQ== nt-encrypted privilege 0

username jackie attributes

vpn-group-policy bcc

service-type remote-access

username jabianm password KiOykgt6IbELsjHa encrypted privilege 15

tunnel-group bcc type remote-access

tunnel-group bcc general-attributes

address-pool VPNPool01

default-group-policy bcc

tunnel-group bcc ipsec-attributes

pre-shared-key *

tunnel-group bcc ppp-attributes

authentication ms-chap-v2

!

!

prompt hostname context

Cryptochecksum:a66229465ff2bfba0651985615eff57d

: end



Message was edited by: Robert McDonald

Correct Answer by Jennifer Halim about 7 years 3 months ago

Both this statement:

static (inside,wifi) inside-network inside-network netmask  255.255.255.0


OR/ this statement:

access-list inside_nat0_outbound extended permit ip  inside-network 255.255.255.0 wifi-network 255.255.255.0

nat  (inside) 0 access-list inside_nat0_outbound


achieves the same thing. Both statements work bidirectionally as far as the translation is concern, and it is configured for the higher security level towards the lower security level.


Traffic from high security to low security is allowed by default, so with either of the above statement, your inside network can initiate connection to your wifi network.


Traffic from low security to high security is not allowed by default. You would need either of the above statement PLUS access-list applied on wifi interface to be able to initiate connection from wifi towards inside network. If you just have either of the above statement with no access-list applied to wifi interface, you won't be able to initiate connection from wifi network towards inside network.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Sat, 04/03/2010 - 22:52
User Badges:
  • Cisco Employee,

Both this statement:

static (inside,wifi) inside-network inside-network netmask  255.255.255.0


OR/ this statement:

access-list inside_nat0_outbound extended permit ip  inside-network 255.255.255.0 wifi-network 255.255.255.0

nat  (inside) 0 access-list inside_nat0_outbound


achieves the same thing. Both statements work bidirectionally as far as the translation is concern, and it is configured for the higher security level towards the lower security level.


Traffic from high security to low security is allowed by default, so with either of the above statement, your inside network can initiate connection to your wifi network.


Traffic from low security to high security is not allowed by default. You would need either of the above statement PLUS access-list applied on wifi interface to be able to initiate connection from wifi towards inside network. If you just have either of the above statement with no access-list applied to wifi interface, you won't be able to initiate connection from wifi network towards inside network.


Hope that helps.

Actions

This Discussion