I've got two internal networks, y and z. y is the most secure, and is allowed access to z. Both are allowed full access to the internet and some hosts across a vpn tunnel. I'm trying to add a rule to allow hosts on z to access a single host on y (port 9999).
Relevant config bits follow:
ip address x.x.x.x 255.255.255.248
ip address y.y.y.y 255.255.255.0
ip address z.z.z.z 255.255.255.0
access-list y_outbound_nat0 extended permit ip y.y.y.0 255.255.255.0 z.z.z.0 255.255.255.0
access-list z_outbound_nat0 extended permit ip z.z.z.0 255.255.255.0 y.y.y.0 255.255.255.0
The config above partially works, in that it allows z to access the host on y, but it also denies access across the vpn and (I think) the internet. I assume this is because the access-list z_to_y has the implicit deny any any at the end. What is the right way to accomplish this?
I was considering the following, but wasn't sure if it was the right solution (or if it would work correctly):
access-list z_to_y extended permit ip y.y.y.0 255.255.255.0 any
access-group z_to_y in interface y
Also, I read a thread that advocated against using nat0 rules except for VPN? Indicating to use static statements instead...Just wondering if anyone knows the rationale behind that, since I obviously am using nat0 rules to not nat between internal networks.
Re: Access from lower security interface to higher
Thanks, I went ahead and tried what you suggested and it is working fine now. It just seemed excessive to me to have to specify deny statements for each internal network and then add the allow any rule, but I guess that is just how it has to be. I don't make firewall changes very often, so it is always difficult for me to get back in the Cisco mindset.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...