ASA 5510 - Setting up ACL to permit access only to the Nat'ed subnet

Unanswered Question
Apr 10th, 2012

Hi,

I experiencing an issue in setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.

permit ip any "Nat_subnet"

After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration. I would appreciate if someone please advice to resolve this issue.

Regards,

Muds

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.135.249 255.255.255.248 standby 192.168.135.250

!

object-group network d1-dr-nat_nets

network-object 192.168.128.0 255.255.248.0

!

object network 10.210.14.0_Net

nat (outside,inside) static 192.168.128.0_Net

object network 10.210.16.0_Net

nat (outside,inside) static 192.168.129.0_Net

object network 10.210.80.0_Net

nat (outside,inside) static 192.168.130.0_Net

object network 10.210.84.0_Net

nat (outside,inside) static 192.168.131.0_Net

object network 10.210.86.0_Net

nat (outside,inside) static 192.168.132.0_Net

object network 10.210.88.0_Net

nat (outside,inside) static 192.168.133.0_Net !
object network 10.210.14.0_Net
nat (outside,inside) static 192.168.128.0_Net
object network 10.210.16.0_Net
nat (outside,inside) static 192.168.129.0_Net
object network 10.210.80.0_Net
nat (outside,inside) static 192.168.130.0_Net
object network 10.210.84.0_Net
nat (outside,inside) static 192.168.131.0_Net
object network 10.210.86.0_Net
nat (outside,inside) static 192.168.132.0_Net
object network 10.210.88.0_Net
nat (outside,inside) static 192.168.133.0_Net

!

!

access-list prod_lan-in extended permit ip any object-group d1-dr-nat_nets

!

access-group prod_lan-in in interface inside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Jouni Forss Tue, 04/10/2012 - 02:20

Hi,

When you do NAT in the new software (8.3 and after) you have to open the traffic in the ACL to the real destination addresses and not the NAT addresses.

So basicly I guess in this situation your destination address in the access-list "prod_lan-in" should be the networks starting with 10.210.x.x

Make an object-group for those networks and add an access-list line for that.

Let me know how it goes or ask any addiotional questions

- Jouni

mudassar.khan Tue, 04/10/2012 - 02:34

Hi Jouni,

Thanks for the reply. The basic idea behind NATing is to hide the 10.210.x.x subnet connected to the outside interface of the firewall from the inside. In the current scenario we have 10.210.x.x subnets in the production and same subnets in DR environment. We are using ACL to make sure that firewall can only pass taffic destined for 192.168.x.x subnets.

As I have mentioned that ping to the servers are working fine so I asume that translation is working fine. At this moment the only services I can test is SSH which is not working for some reason.

If I add acl permit ip any any it works fine.any ideas?

Thanks,

Muds 

Jouni Forss Tue, 04/10/2012 - 02:43

Hi,

As I mentioned even though you NAT the address from outside to inside you will have to use the REAL IP ADDRESSES in the access-list statements

Your hosts on inside will still be connecting to the NAT IP address of the hosts on outside BUT the ASA needs the ACL statements with the NATed hosts original IP addresses

Let me give an simple example

object network STATIC

host 10.10.10.10

nat (outside,inside) static 192.168.10.10

access-list INSIDE-IN permit ip any host 10.10.10.10

or

access-list INSIDE-IN permit ip any object STATIC

- Jouni

Actions

Login or Register to take actions

This Discussion

Posted April 10, 2012 at 1:42 AM
Stats:
Replies:3 Avg. Rating:
Views:551 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446