01-16-2014 08:26 PM - edited 03-11-2019 08:31 PM
Hi All,
In my quest to learn Cisco IOS and devices, I need some help in traffic shaping, or access-lists, specifically allowing traffic between internal interfaces on the ASA.
I have an ASA 5510:
LAN/WAN/DMZ labled ports E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).
Attached to port E0/0 is a 2811 Router
Attached to port E0/1 is the Internet (Outside)
Attached to port E0/2 is a 2821
(I will be adding a 3745 for VOIP) port E0/3 but it hasn't arrived yet.
I want to allow traffic between the 2811 and the 2821 routers so that devices on the networks behind them can talk to each other.
I have specified specif subnets between the ASA and the Routers because I want to learn how to shape traffic behind the routers as well as on the ASA. So behind the routers I have different VLANS, but I am not restricting access between them, yet, at least I don't think I am. But as it is, devices behind the 2821 can't access the DNS / DOMAIN SERVER which is behind the 2811. Right now I am having the routers supply DHCP, which is working. Currently devices behind the 2821 router - 3560 switch cannot access the domain server, primary dns server.
How do I setup the ASA to allow traffic to flow between the two routers and their VLANS?
Here are the configs of each of the devices and I have also included my switch configs, incase something needs to be set on them. I have only redacted the passwords and parts of the external IP's. I appreciate the help in what statements to create and on which devices.
I think it is best I put links to the text files here.
Thank you!
Solved! Go to Solution.
01-24-2014 11:54 AM
Remove them.
Where from do you want to grant the access?
Since the sec level of the DMZ and Inside is the same, and same security inter interface trafic is permitted, hosts from behind these interfaces must have access to each other.
In order to networks behind the LAN router have access to the internet, add them to the PAT-SOURCE.
For sec reasons, sec level of the DMZ interface should be lower than the Inside and higher than the Outside. In this case
access-list should be apllied to the DMZ to permitt certain traffic to the networks behind the Inside and Outside.
01-24-2014 12:15 PM
Maxim Mogorean wrote:
Remove them.
Where from do you want to grant the access?
Since the sec level of the DMZ and Inside is the same, and same security inter interface trafic is permitted, hosts from behind these interfaces must have access to each other.
In order to networks behind the LAN router have access to the internet, add them to the PAT-SOURCE.
For sec reasons, sec level of the DMZ interface should be lower than the Inside and higher than the Outside. In this case
access-list should be apllied to the DMZ to permitt certain traffic to the networks behind the Inside and Outside.
I want to grant access to security cameras on some of the different networks froma specific outside source (remote location).
Basically I want to allow http (www) access from 98.22.xxx.xxx to an IP address behind the 2811 at IP address 192.168.1.5 port 8080.
Here is my updated NAT:
ASA5510# sh run nat
!
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh 222
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh 2222
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh 2223
!
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
Access-Lists:
ASA5510# sh run access-list
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
01-24-2014 12:35 PM
object network CAM
host 192.168.1.5
nat (Inside,Outside) static interface service tcp 8080 80
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object CAM eq 8080
01-24-2014 01:18 PM
Awesome, thank you. Just to make sure I am reading it correctly.
I created a Network Object called CAM.
I assigned the Object's host as 192.168.1.5.
I then created a NAT specifying that the host can can be accessed statically on TCP port 8080 which is translated to port 80.
Then I created an entry in my Outside_access_in access-list permitting my external IP to access the Object called CAM via port 8080.
So when I try and connect to it from my remote location I type http://123.456.789.10:8080 and that will route me to 192.168.1.5 on port 80?
Just want to make sure I have the flow correctly. I think I have it, unless I am reading the nat backwards
Thanks!
Maxim Mogorean wrote:
object network CAM
host 192.168.1.5
nat (Inside,Outside) static interface service tcp 8080 80
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object CAM eq 8080
01-24-2014 02:32 PM
You got it correctly, except port mapping.
You should read the nat rule by the following:
nat (real_ifc,mapped_ifc) static interface service {tcp | udp} real_port mapped_port
that is:
real_ifc = Inside
mapped_ifc = Outside
real_port = 8080 (behind real_ifc)
mapped_port = 80 (behind mapped_ifc)
You connect to the Outside interface IP address port 80 and get to the CAM behind the Inside port 8080
In the Outside access list you indicate real IP and real port, since access list is applied after NAT
01-24-2014 02:35 PM
Hmm OK, I needed to enter on port 8080 and end on the camera on port 80. This because the ASDM interface is setup to allow HTTP connections from work so if I enter my public IP I will get the ASDM instead of the translated CAM port.
01-27-2014 08:58 AM
Maxim,
Can I get one more clarification on the statement I should add.
The internal device in on 192.168.1.5 and is listening on port 80. I need to come into the ASA on port 8080 and then get natted to the 192.168.1.5 on port 80.
(INTERNET's Origination IP 98.22.xxx.xxx:8080) ------ (External IP 199.195.xxx.xxx) --ASA--- (Internal IP 10.10.1.1) ----- (External IP 10.10.1.2) ---2811--- (Internal IP VLAN 1 - Gateway 192.168.1.1) ---- (Device 192.168.1.5:80)
That is how the flow works right now.
SH RUN NAT:
ASA5510# sh run nat
!
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh 222
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh 2222
object network WEBCAM-01
nat (Inside,Outside) static interface service tcp www 8080
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh 2223
!
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
SH RUN ACCESS-LISTS:
ASA5510# sh run access-list
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object WEBCAM-01 eq www
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Thanks!
Message was edited by: Mitchell Tuckness
01-27-2014 10:09 AM
Oh and when I look at the ASDM transaction logs I see this:
6 | Jan 27 2014 | 09:36:49 | 98.22.xxx.xxx | 12768 | 192.168.1.5 | 80 | Routing failed to locate next hop for TCP from Outside:98.22.xxx.xxx/12768 to Inside:192.168.1.5/80 |
6 | Jan 27 2014 | 09:36:49 | 98.22.xxx.xxx | 12768 | 192.168.1.5 | 80 | Built inbound TCP connection 1001389 for Outside:98.22.xxx.xxx/12768 (98.22.xxx.xxx/12768) to Inside:192.168.1.5/80 (199.195.xxx.xxx/8080) |
01-27-2014 01:26 PM
Hi,
Correct
It seems that asa doesn't have route to the network 192.168.1.0.
Is this route present in the ASA routing table? # show route
01-23-2014 12:14 AM
Hi,
I don't know if there is really need to make the NAT rules any more complex by creating a configuration for each interface separately as a Section 2 Auto NAT. Not that this environment will probably have that much NAT configurations in the future to make it too complex but I prefer doing the Dynamic PAT with one command instead of configuring multiple "nat" configurations.
You could change the above Dynamic PAT configuration which I probably original suggested before you had added devices to network to the following
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
You can use the PAT-SOURCE "object-group" then to tell all the networks which require PAT translation to the external network. (by adding statements under it for the networks required)
- Jouni
01-23-2014 12:32 AM
Yes Jouni, you are right!
No need to delete # object-group network PAT-SOURCE, # nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface, and to create object for each network. Just to add networks behind the LAN router into the PAT-SOURCE.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: