Direct access to devices behind the firewall

Answered Question
May 18th, 2010

Hello,


I am trying to establish a direct connection to devices behind the firewall without NAT.


I have an ASA5510 FW where both sides are private IP addresses. outside interface is Security level 0 and the inside interface is Security level 100.


I have couple of servers behind the firewall. But i want them to access using their own IP addresses from outside, rather than using a mapped IP addresses.


I tried with Nat 0. But then realised, it wont work as the it only protects the source IP address of the devies behind the firewall to be translated.


Is it is possible to do that? If then, can you give me the step by step procedures.


Cheers

Nimalraj

Correct Answer by Jon Marshall about 6 years 9 months ago

Try this -


static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0


where 172.16.10.0/24 would be the server subnet.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Tue, 05/18/2010 - 06:12

You can configure NAT exemption, ie: NAT 0 with access-list.


Example:

Inside host has ip address of 192.168.100.5

Outside host has ip address of 192.168.200.5


For outside host to access inside host with its private ip address, you can configure the following:


access-list nonat permit ip host 192.168.100.5 host 192.168.200.5

nat (inside) 0 access-list nonat


On your inbound access-list on the outside interface, you would need to allow the access. Check the name of the outside access list: sh run access-group, then add the following access-list:

access-list permit ip host 192.168.200.5 host 192.168.100.5


OR/ a more restrictive access-list if you wish.


Hope that helps.

nimalrajphilips Tue, 05/18/2010 - 06:40

Hi, I tried that beforehand. But didnt work. The following is the configuration i have in my ASA.


access-list inbound extended permit icmp any any
access-list inbound extended permit ip any any


access-list nonat extended permit ip any host 172.16.1.20


global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.1.0 255.255.255.0


access-group inbound in interface outside



All the clients have internet access. But i cannot ping or connect to the 172.16.1.20 machine.


Any idea..?

Jon Marshall Tue, 05/18/2010 - 06:47

Are the servers ever going to go out from the inside and get translated to the public IP on your outside interface ?


If they are do you know the specific source IPs you want to use to be able to access the servers on their private addresses from outside ?


Jon

nimalrajphilips Tue, 05/18/2010 - 06:50

No.. These servers are going to remain private. And there wont be any mapping from outside interface to the private IP address of the server.


Thats why i want some way to access the server using the private IP address, rather than using the mapped IP address.


Nimalraj

Correct Answer
Jon Marshall Tue, 05/18/2010 - 06:54

Try this -


static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0


where 172.16.10.0/24 would be the server subnet.


Jon

nimalrajphilips Tue, 05/18/2010 - 07:11

That did the trick for me.


can you elobrate more about this command. The reason i am asking is, it worked without even Nat0 command.


thats why i am bit confused.


Cheers

Jon Marshall Tue, 05/18/2010 - 07:16

nimalrajphilips wrote:


That did the trick for me.


can you elobrate more about this command. The reason i am asking is, it worked without even Nat0 command.


thats why i am bit confused.


Cheers


Basically it is a static NAT statement that takes precedence over your dynamic NAT statements. Usually you see something like -


static (inside,outside) 195.17.10.10 192.168.5.10 netmask 255.255.255.255


where you are natting the private IP of 192.168.5.10 on the inside to the public IP of 195.17.10.10 on the outside. Yes the (inside,outside) are the wrong way round compared to IOS but you get used to it


Using a static NAT allows connections to be initiated from the outside to the inside. With your example ie.


static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0


we are simply saying present the 172.16.10.x addresses to the outside as 172.16.10.x.


Note that on other vendors firewalls you wouldn't need this statement if the addresses you present are the same as the real addresses as in your scenario but this is another quirk of the Cisco Pix/ASA firewalls.


Jon

Jennifer Halim Tue, 05/18/2010 - 15:24

When you use the NAT exemption method, your ACL is the other way round.


You have "access-list nonat extended permit ip any host 172.16.1.20" configured. It should have been "access-list nonat extended permit ip host 172.16.1.20 any"


However, as Jon's suggestion, you can also use the static to itself statement.


Both ways will work.

Actions

This Discussion