ASA Question...

Unanswered Question
May 6th, 2010

Hello,

     I've started working with our Cisco ASA recently but I'm very new to this system so I need some help in setting up a rule.  I have an internal user that need to be able to connect directly with website, let's say (666.666.666.666).  I want to add a route to that users PC, "route add 666.666.666.666 mask 255.255.255.255 192.168.1.3", and have that user pass-through our ASA which is 192.168.1.3.  Now on the ASA, where exactly would I create this rule, under Access rules or NAT rules?  And what would I have to put, an incoming and outgoing rule like userPC to 666.666.666.666 and 666.666.666.666 to userPC?

PS.  I am aware that 666.666.666.666 is not a valid address, I just don't want to make a mistake and put a real address.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 05/06/2010 - 08:35

Nicholas,

Good choice of IP ;-)

For the inside host to be able to surf the web, you require NAT/PAT.

From the CLI perspective, you add:

nat (inside) 1 x.x.x.x 255.255.255.0

global (outside) 1 y.y.y.y

Assuming that x.x.x.x is your internal network with a /24 mask and y.y.y.y is the outside IP of the ASA.

If the ASA's inside IP is the default gateway for the host, and you already have Internet access from the ASA, there's nothing else that you need to do.

Federico.

Jon Marshall Thu, 05/06/2010 - 08:38

Federico

You beat me to it again !!

Since you have started posting on the forums i don't get to answer that many security questions anymore

Good to see we are both offering the same advice.

Jon

Federico Coto F... Thu, 05/06/2010 - 08:48

Jon,

Only when I have the time (sometimes not to often)

I still appreciate your advice on security as well as many other topics ;-)

Federico.

Jon Marshall Thu, 05/06/2010 - 08:37

CiscoSlicster wrote:

Hello,

     I've started working with our Cisco ASA recently but I'm very new to this system so I need some help in setting up a rule.  I have an internal user that need to be able to connect directly with website, let's say (666.666.666.666).  I want to add a route to that users PC, "route add 666.666.666.666 mask 255.255.255.255 192.168.1.3", and have that user pass-through our ASA which is 192.168.1.3.  Now on the ASA, where exactly would I create this rule, under Access rules or NAT rules?  And what would I have to put, an incoming and outgoing rule like userPC to 666.666.666.666 and 666.666.666.666 to userPC?

PS.  I am aware that 666.666.666.666 is not a valid address, I just don't want to make a mistake and put a real address.

On the ASA you would need to NAT/PATthe users address to a public IP. Generally this is done using the public IP attached to the outside interface of the ASA eg.

nat (inside) 1 192.168.1.0 255.255.255.0  <--- note you can be more specific and just specify the specific user IP if you want

global (outside) 1 interface

it would be worht checking the ASA first to see if that sort of NAT/PAT  has been setup.

If there is no access-list applied on the inside interface then that should be it, you shouldn't need to do anything else. If there is an access-list applied to the inside interface you would need to add -

access-list permit tcp host 192.168.1.3 host eq 80

you don't need to worry about any acl applied to the outside interface because the connection is initiated from inside.

Jon

Kimberly Adams Thu, 05/06/2010 - 08:41

Nicholas,

First off I would like to ask a question, why would you be adding a route to a specific users's PC and not allowing a default gateway to route to the ASA?  On the ASA you would not use the NAT rules but the Access Rules to add this user to be permitted to a site.

Thanks,

Kimberly

Jon Marshall Thu, 05/06/2010 - 08:49

[email protected]

Nicholas,

First off I would like to ask a question, why would you be adding a route to a specific users's PC and not allowing a default gateway to route to the ASA?  On the ASA you would not use the NAT rules but the Access Rules to add this user to be permitted to a site.

Thanks,

Kimberly

Kimberly

Good question on the specific route.Perhaps the default-gateway is pointing to a different device in which case a default-route could just be added to that device pointing to the ASA. Or perhaps there are multiple ASAs in the network.

However on an ASA all traffic is by default allowed from a higher to lower security interface. So you wouldn't need to modify the access rules unless there was an acl specified on the inside and this is far less common than an acl on the outside interface.

Jon

Kimberly Adams Thu, 05/06/2010 - 08:54

Thanks Jon,

I was assuming that he was looking for a specific host to a specific dest without allowing to all of the public space.  Without knowing some of the specifics of what he is trying to do and allow, makes it a little harder to answer specifically.  That is kind of why I started out with general statements.

I am trying to get braver answering questions and engaging more in the forums. 

Kimberly

Jon Marshall Thu, 05/06/2010 - 08:58

[email protected]

Thanks Jon,

I was assuming that he was looking for a specific host to a specific dest without allowing to all of the public space.  Without knowing some of the specifics of what he is trying to do and allow, makes it a little harder to answer specifically.  That is kind of why I started out with general statements.

I am trying to get braver answering questions and engaging more in the forums. 

Kimberly

Kimberly

You absolutely should get more involved, the more expertise we get in these forums the better. Apologies if it seemed i was being difficult, not my intention at all. Often in threads we just all dive in and add to what others have said to make sure the original poster gets the full answer.

So please don't let me put you off answering posts

Jon

Kimberly Adams Thu, 05/06/2010 - 09:16

Jon,

I didn't take it that you were being difficult.  I am always a little timid at first to jump in for things like this, but I am working to get braver!  By the way, thanks for being such a good resource out here! 

Kimberly

CiscoSlicster Thu, 05/06/2010 - 09:01

Thanks for the great replies!

They all make sence but I'm not a Cisco command line guy.  I'm currently using the GUI to apply my changes so if I'm "NAT Rules" section, would I add the following?

a Static NAT Rule

a Dynamic NAT Rule

or a NAT Exempt Rule

Sorry but I'm a begginer to this.  I am normally the Internal Windows Administrator and our Infrastructure guy left a few months ago so I'm trying to figure this thing out.  Thanks.

Here are the IP's of the systems in question

UserPC = 192.168.1.200

Internal ASA address - 192.168.1.3

Public ASA address - 666.666.666.661

UserPC is trying to reach 666.666.666.666

I actually wouldn't mind being able to use the ASA as the default gateway for the user.  This would actually fix one of the internet issues we're having here.

Jon Marshall Thu, 05/06/2010 - 09:31

Nicholas

Do you have internet connectivity already through this firewall. Reason i ask is that if you do it is very likely that you don't need to add any NAT rules - by the way it would be a dynamic NAT you are looking to add. So i don't want to start telling you to add things as it could break your existing setup.

Unfortunately i have very little experience with the GUI. Is there any chance you could log onto the ASA and send us a copy of the running-config ?

Jon

Kimberly Adams Thu, 05/06/2010 - 12:19

Nicholas,

I agree with Jon, if you can give us a copy of the running configuration that will allow us to help you more.  I have a little knowlege of ASDM but prefer command line.

If you are not sure of how to pull the config from the ASA I can also provide you the steps necessary.  Please let us know.

Kimberly

w.rana Wed, 07/07/2010 - 12:33

access-list outside_access_in extended permit tcp any 666.666.666.666 (outside ip address) eq 80  or any port u want to see

static (Inside,Outside) tcp 666.666.666.666 80 192.168.1.1 80 netmask 255.255.255.255

or

access-list outside_access_in extended permit tcp any 666.666.666.666 (outside ip address) eq 80  or any port u want to see

static (inside,outside) 666.666.666.666 192.168.1.1  netmask 255.255.255.255

Actions

This Discussion

Related Content