Solved: Direct access to devices behind the firewall

nimalrajphilips · ‎05-18-2010

Hello,

I am trying to establish a direct connection to devices behind the firewall without NAT.

I have an ASA5510 FW where both sides are private IP addresses. outside interface is Security level 0 and the inside interface is Security level 100.

I have couple of servers behind the firewall. But i want them to access using their own IP addresses from outside, rather than using a mapped IP addresses.

I tried with Nat 0. But then realised, it wont work as the it only protects the source IP address of the devies behind the firewall to be translated.

Is it is possible to do that? If then, can you give me the step by step procedures.

Cheers

Nimalraj

Jon Marshall · ‎05-18-2010

Try this -

static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0

where 172.16.10.0/24 would be the server subnet.

Jon

View solution in original post

Jennifer Halim · ‎05-18-2010

You can configure NAT exemption, ie: NAT 0 with access-list.

Example:

Inside host has ip address of 192.168.100.5

Outside host has ip address of 192.168.200.5

For outside host to access inside host with its private ip address, you can configure the following:

access-list nonat permit ip host 192.168.100.5 host 192.168.200.5

nat (inside) 0 access-list nonat

On your inbound access-list on the outside interface, you would need to allow the access. Check the name of the outside access list: sh run access-group, then add the following access-list:

access-list permit ip host 192.168.200.5 host 192.168.100.5

OR/ a more restrictive access-list if you wish.

Hope that helps.

nimalrajphilips · ‎05-18-2010

Hi, I tried that beforehand. But didnt work. The following is the configuration i have in my ASA.

access-list inbound extended permit icmp any any
access-list inbound extended permit ip any any

access-list nonat extended permit ip any host 172.16.1.20

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.1.0 255.255.255.0

access-group inbound in interface outside

All the clients have internet access. But i cannot ping or connect to the 172.16.1.20 machine.

Any idea..?

Jon Marshall · ‎05-18-2010

Are the servers ever going to go out from the inside and get translated to the public IP on your outside interface ?

If they are do you know the specific source IPs you want to use to be able to access the servers on their private addresses from outside ?

Jon

nimalrajphilips · ‎05-18-2010

No.. These servers are going to remain private. And there wont be any mapping from outside interface to the private IP address of the server.

Thats why i want some way to access the server using the private IP address, rather than using the mapped IP address.

Nimalraj

Jon Marshall · ‎05-18-2010

Try this -

static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0

where 172.16.10.0/24 would be the server subnet.

Jon

nimalrajphilips · ‎05-18-2010

That did the trick for me.

can you elobrate more about this command. The reason i am asking is, it worked without even Nat0 command.

thats why i am bit confused.

Cheers

Jon Marshall · ‎05-18-2010

nimalrajphilips wrote:

That did the trick for me.

can you elobrate more about this command. The reason i am asking is, it worked without even Nat0 command.

thats why i am bit confused.

Cheers

Basically it is a static NAT statement that takes precedence over your dynamic NAT statements. Usually you see something like -

static (inside,outside) 195.17.10.10 192.168.5.10 netmask 255.255.255.255

where you are natting the private IP of 192.168.5.10 on the inside to the public IP of 195.17.10.10 on the outside. Yes the (inside,outside) are the wrong way round compared to IOS but you get used to it

Using a static NAT allows connections to be initiated from the outside to the inside. With your example ie.

static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0

we are simply saying present the 172.16.10.x addresses to the outside as 172.16.10.x.

Note that on other vendors firewalls you wouldn't need this statement if the addresses you present are the same as the real addresses as in your scenario but this is another quirk of the Cisco Pix/ASA firewalls.

Jon

nimalrajphilips · ‎05-18-2010

Thanks alot Jon.

Jennifer Halim · ‎05-18-2010

When you use the NAT exemption method, your ACL is the other way round.

You have "access-list nonat extended permit ip any host 172.16.1.20" configured. It should have been "access-list nonat extended permit ip host 172.16.1.20 any"

However, as Jon's suggestion, you can also use the static to itself statement.

Both ways will work.

nimalrajphilips · ‎05-19-2010

Hi,

I will try this option too. Thanks for your update.

Cheers