Im pretty confused now...hopefully sumone can point out where i go wrong.
Im using a 5505 (9.1), with several vlans with security level from 0 to 100
When adding an access rule "any any http permit" to a vlan with security level 50, it can access http services on a vlan with security level 100 without any additional nat rule...this wasnt the case before asa 8.4, or? (am i missing sumthing very obvious?)
I used to add NAT rules to make this happen, but now it seems theres a free flow... my intention is that users on the vlan with seclevel 50 can access outside http,https etc (on outside vlan with seclevel 0).. and not other services on other internal vlans with higher sec level...and adding "any outside http permit" doesnt work for me..
Sorry for the ugly access list examples.. im using asdm ;)
With PIX, and if I am not mistaken ASA 8.0 NAT control was enabled by default. So unless you disabled NAT control you had to configure NAT to allow traffic between interfaces as well as adding and access list.
As of 8.2 NAT control is disabled by default and I believe that it was in 8.3 it was removed completely...though don't quote me on that, it might have been 8.4 where it was removed completely.
But since 8.2 at least, you could add as you mentioned a permit tcp any any eq http access list and depending on if all other configuration permits it (ie NAT is needed if going to the internet) then the connection is added to the state table and traffic is permitted two and from the destination for that specific connection. Ofcourse if the destination tries to initiate a new connection outside of the one already established, it will not be automatically allowed and will need to go through the checks the ASA performs and be added to the state table or dropped depending on the if it is permitted or not.
A little more info on security levels. So long as you have no ACL configured on the interface security levels will play their part. Once you add an ACL to the interface the security level is not longer used and instead the ACL is checked.
So, if you want VLAN 50 to be able to http and https to the internet but not to the inside network you would need to place a deny statement at the top of the list to prevent this. So something like the following (where 10.10.10.0/24 is the inside network and 18.104.22.168/24 is the DMZ network):
access-list DMZ-to-OUT extended deny ip 22.214.171.124 255.255.255.0 10.10.10.0 255.255.255.0
access-list DMZ-to-OUT extended permit ip 126.96.36.199 255.255.255.0 any eq http
access-list DMZ-to-OUT extended permit ip 188.8.131.52 255.255.255.0 any eq https
access-group DMZ-to-OUT in interface DMZ
Now so long as you do not add and ACL to the inside network or you have a permit IP any any on the inside interface, the inside network will be allowed to initiate traffic to the DMZ but not vice versa.
Please remember to select a correct answer and rate
Please remember to rate and select a correct answer
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...