Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
156
Views
0
Helpful
1
Replies

Access list, security levels and NAT

frederikjb
Level 1
Level 1

‎04-11-2014 04:17 AM - edited ‎03-11-2019 09:03 PM

Hello

Im pretty confused now...hopefully sumone can point out where i go wrong.

 

Im using a 5505 (9.1), with several vlans with security level from 0 to 100

When adding an access rule "any any http permit" to a vlan with security level 50, it can access http services on a vlan with security level 100 without any additional nat rule...this wasnt the case before asa 8.4, or? (am i missing sumthing very obvious?)

I used to add NAT rules to make this happen, but now it seems theres a free flow... my intention is that users on the vlan with seclevel 50 can access outside http,https etc (on outside vlan with seclevel 0).. and not other services on other internal vlans with higher sec level...and adding "any outside http permit" doesnt work for me..

 

Sorry for the ugly access list examples.. im using asdm ;) 

 

- Frederik

 

 

 

 

 

 

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎04-11-2014 08:53 AM

With PIX, and if I am not mistaken ASA 8.0 NAT control was enabled by default.  So unless you disabled NAT control you had to configure NAT to allow traffic between interfaces as well as adding and access list.

As of 8.2 NAT control is disabled by default and I believe that it was in 8.3 it was removed completely...though don't quote me on that, it might have been 8.4 where it was removed completely.

But since 8.2 at least, you could add as you mentioned a permit tcp any any eq http access list and depending on if all other configuration permits it (ie NAT is needed if going to the internet) then the connection is added to the state table and traffic is permitted two and from the destination for that specific connection.  Ofcourse if the destination tries to initiate a new connection outside of the one already established, it will not be automatically allowed and will need to go through the checks the ASA performs and be added to the state table or dropped depending on the if it is permitted or not.

A little more info on security levels.  So long as you have no ACL configured on the interface security levels will play their part.  Once you add an ACL to the interface the security level is not longer used and instead the ACL is checked.

So, if you want VLAN 50 to be able to http and https to the internet but not to the inside network you would need to place a deny statement at the top of the list to prevent this.  So something like the following (where 10.10.10.0/24 is the inside network and 11.11.11.0/24 is the DMZ network):

access-list DMZ-to-OUT extended deny ip 11.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list DMZ-to-OUT extended permit ip 11.11.11.0 255.255.255.0 any eq http

access-list DMZ-to-OUT extended permit ip 11.11.11.0 255.255.255.0 any eq https

access-group DMZ-to-OUT in interface DMZ

Now so long as you do not add and ACL to the inside network or you have a permit IP any any on the inside interface, the inside network will be allowed to initiate traffic to the DMZ but not vice versa.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card