Query regarding same security interface in ASA

Answered Question
May 19th, 2010
User Badges:

Hi halijenn / pkampana/all


I have a query regarding traffic traversing from one interface to another with same security level as of other


Inside range -> 192.168.10.0/24


Inside1 range -> 10.10.10.0/24


The inside interface and inside1 interface have same security level 100


[a] Consider that we have NAT-CONTROL enabled


a) I want to access the resources in bidirectional way If i want to access the resources from inside to inside1 and vice-versa with "nat 0 with ACL"


same-security-traffic permit inter-intefrace

nat (inside) 0 access-list NONAT

access-list NONAT permit ip host 192.168.10.1 host 10.10.10.1


Hence please let me know if i need to accomplish one more access-list in addition to above for traffic from Inside1 to Inside .That is do i need to

configure the below as well ?However according to me NAT 0 with ACL is bidirectional and we should not require the below acl for bidirectional traffic .Also please let me know what would be the config if these 2 interfaces would not have been on same sec. level ?


access-list NONAT permit ip host 10.10.10.1 host 192.168.10.1


b) I want to access the resources in bidirectional way . If i want to access the resources from inside to inside1 and vice-versa with "static" command please let me know if below is correct configuraion , I.E one static will do or both statics are required ?


same-security-traffic permit inter-intefrace

static (inside,inside1) 192.168.10.1 192.168.10.1

static (inside1,inside) 10.10.10.1 10.10.10.1


[b] Consider that we have NAT-CONTROL disabled


If no nat-control is configured how will the above change ?

Correct Answer by Jennifer Halim about 7 years 2 months ago

nat (inside1) 0 access-list   NONAT-1

access-list   NONAT-1 permit ip host 10.10.10.1 host 192.168.10.1


will also work. Just from best practise point of view, it is recommended to apply NAT exemption on the high security level interface. This provides consistency in your configuration, ie: instead of having some interface having some NAT exemption on lower security level and some on high security level, this is to ensure that NAT exemption is only configured on the higher security level interface towards lower security level interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Wed, 05/19/2010 - 04:13
User Badges:
  • Cisco Employee,

[a] Consider that we  have NAT-CONTROL enabled


a) You are absolutely correct. NAT exemption (NAT 0 with ACL) is bidirectional. Hence you only need to configure the NAT and ACL in 1 direction.

If you apply the NAT exemption on the inside interface, it would be as you have stated:

nat (inside) 0 access-list  NONAT

access-list  NONAT permit ip host 192.168.10.1 host 10.10.10.1


OR/ alternatively you can configure the following:

nat (inside1) 0 access-list  NONAT-1

access-list  NONAT-1 permit ip host 10.10.10.1 host 192.168.10.1


So it would be 1 or the other, not both.


If the security level is different, ie: inside - 100, inside1 - 90, then NAT exemption is always configured in the direction of high security level towards the low security level, and again, it is bidirectional, so you should only configure the following:

nat (inside) 0 access-list  NONAT

access-list  NONAT permit ip host 192.168.10.1 host 10.10.10.1


b) Static statement works exactly the same as NAT exemption above. It is also bidirectional. So you only need to configure 1 static line:

Either this:

static (inside,inside1) 192.168.10.1 192.168.10.1


OR/ this:

static  (inside1,inside) 10.10.10.1 10.10.10.1


Not both.


[b] Consider that we  have NAT-CONTROL disabled

If you have nat-control disable, then for the same security interface, you don't have to configure any NAT exemption or static statement. However, if it is different security level, traffic from high to low security level, you don't need any NAT exemption or static, however, traffic originated from low security level towards high security level, you still need to configure NAT exemption or static as per the above.


However you can't have any NAT statement at all configured on the interface because even if nat-control is disabled, and if you have 1 NAT statement, for example: nat (inside) 1 0 0, this will turn nat-control back on automatically.


Hope that answers your questions.

ankurs2008 Sat, 05/22/2010 - 00:47
User Badges:

Hi halijenn


This was excellent expalantion !!


1) In part [b] if i have "no nat-control" and the following statement is already there


nat(inside) 1 0 0

global (outside) 1 interface


Now if inside1 is having same-security level then with above statement enabled the nat-control will turn back on automatically .


Hence traffic from inside to inside1 will require below statement and inside1 to inside reachability will be accomplished automatically .Please correct me if i am wrong


nat (inside) 0 access-list  NONAT

access-list  NONAT permit ip host 192.168.10.1 host 10.10.10.1


Now if inside1 is having lower security level and inside the higher one , STILL the above command will do .Please correct me if i am wrong.


2) In part [b] if i have "no nat-control" and there would have been no "nat(inside) and global(outside)" , then if both the inside and inside1 are at same-security level then there is no requirement for nat 0 with ACL .right ? However if both on diff sec level , only the lower (inside1) would require

nat 0 with acl .Let me know if it is correct ?

Jennifer Halim Sat, 05/22/2010 - 00:57
User Badges:
  • Cisco Employee,

You are absolutely correct with both 1) and 2), with 1 minor correction on the following statement on 2):


"However if both on diff sec level , only the lower (inside1) would  require nat 0 with acl .Let me know if it is correct ?":

--> If security level is different, then you require either static or nat exemption for traffic initiated from the lower security level, however, as far as the nat exemption (nat 0 with acl) is concern, it should be configured on the higher security level interface (and it works bidirectionally, so traffic initiated from the lower security level will also work).


Hope that answers your question.

ankurs2008 Sun, 05/23/2010 - 03:52
User Badges:

hi halijenn


thanks for the reply .does that means we have to apply this on higher sec interface


nat (inside) 0 access-list  NONAT

access-list  NONAT permit ip host 192.168.10.1 host 10.10.10.1



if we dont apply above will the below work if applied on lower sec interface as again this is bidirectional NAT ? According to me it will not

as you said , as this is the case of different sec level interfaces and even if lower requires to speak to higher and we require nat0 with ACL to

accomplish it , the above statement will be correct statement .


nat (inside1) 0 access-list  NONAT-1

access-list  NONAT-1 permit ip host 10.10.10.1 host 192.168.10.1

Correct Answer
Jennifer Halim Sun, 05/23/2010 - 04:04
User Badges:
  • Cisco Employee,

nat (inside1) 0 access-list   NONAT-1

access-list   NONAT-1 permit ip host 10.10.10.1 host 192.168.10.1


will also work. Just from best practise point of view, it is recommended to apply NAT exemption on the high security level interface. This provides consistency in your configuration, ie: instead of having some interface having some NAT exemption on lower security level and some on high security level, this is to ensure that NAT exemption is only configured on the higher security level interface towards lower security level interface.

anksachd Mon, 05/24/2010 - 02:40
User Badges:

hi ankur


read the thread and i want to tell that i am running through the same scenario and have to add 2 "nat 0 with ACLs" .So there are some times when single

nat 0 with ACL doesnot works.


halijenn


Please let me know if there are some bugs associated with this , if required i can post the software version and asa model


thanks

ankur

Jennifer Halim Mon, 05/24/2010 - 04:41
User Badges:
  • Cisco Employee,

Not too sure what you mean by single nat 0 with ACL does not work.

It should always work, and should be applied to the high security level interface, and make sure that you "clear xlate" after configuration changes.

Actions

This Discussion