Solved: Re: Allow Specific Access Across Interfaces ASA 5510 - Page 2

Mitchell Tuckness · ‎01-16-2014

Hi All,

In my quest to learn Cisco IOS and devices, I need some help in traffic shaping, or access-lists, specifically allowing traffic between internal interfaces on the ASA.

I have an ASA 5510:

LAN/WAN/DMZ labled ports E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).

Attached to port E0/0 is a 2811 Router

Attached to port E0/1 is the Internet (Outside)

Attached to port E0/2 is a 2821

(I will be adding a 3745 for VOIP) port E0/3 but it hasn't arrived yet.

I want to allow traffic between the 2811 and the 2821 routers so that devices on the networks behind them can talk to each other.

I have specified specif subnets between the ASA and the Routers because I want to learn how to shape traffic behind the routers as well as on the ASA. So behind the routers I have different VLANS, but I am not restricting access between them, yet, at least I don't think I am. But as it is, devices behind the 2821 can't access the DNS / DOMAIN SERVER which is behind the 2811. Right now I am having the routers supply DHCP, which is working. Currently devices behind the 2821 router - 3560 switch cannot access the domain server, primary dns server.

How do I setup the ASA to allow traffic to flow between the two routers and their VLANS?

Here are the configs of each of the devices and I have also included my switch configs, incase something needs to be set on them. I have only redacted the passwords and parts of the external IP's. I appreciate the help in what statements to create and on which devices.

I think it is best I put links to the text files here.

Thank you!

maxmogorean · ‎01-24-2014

Remove them.

Where from do you want to grant the access?

Since the sec level of the DMZ and Inside is the same, and same security inter interface trafic is permitted, hosts from behind these interfaces must have access to each other.

In order to networks behind the LAN router have access to the internet, add them to the PAT-SOURCE.

For sec reasons, sec level of the DMZ interface should be lower than the Inside and higher than the Outside. In this case

access-list should be apllied to the DMZ to permitt certain traffic to the networks behind the Inside and Outside.

Mitchell Tuckness · ‎01-24-2014

Maxim Mogorean wrote:

Remove them.

Where from do you want to grant the access?

Since the sec level of the DMZ and Inside is the same, and same security inter interface trafic is permitted, hosts from behind these interfaces must have access to each other.

In order to networks behind the LAN router have access to the internet, add them to the PAT-SOURCE.

For sec reasons, sec level of the DMZ interface should be lower than the Inside and higher than the Outside. In this case

access-list should be apllied to the DMZ to permitt certain traffic to the networks behind the Inside and Outside.

I want to grant access to security cameras on some of the different networks froma specific outside source (remote location).

Basically I want to allow http (www) access from 98.22.xxx.xxx to an IP address behind the 2811 at IP address 192.168.1.5 port 8080.

Here is my updated NAT:

ASA5510# sh run nat

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

!

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

Access-Lists:

ASA5510# sh run access-list

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

maxmogorean · ‎01-24-2014

object network CAM

host 192.168.1.5

nat (Inside,Outside) static interface service tcp 8080 80

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object CAM eq 8080

Mitchell Tuckness · ‎01-24-2014

Awesome, thank you. Just to make sure I am reading it correctly.

I created a Network Object called CAM.

I assigned the Object's host as 192.168.1.5.

I then created a NAT specifying that the host can can be accessed statically on TCP port 8080 which is translated to port 80.

Then I created an entry in my Outside_access_in access-list permitting my external IP to access the Object called CAM via port 8080.

So when I try and connect to it from my remote location I type http://123.456.789.10:8080 and that will route me to 192.168.1.5 on port 80?

Just want to make sure I have the flow correctly. I think I have it, unless I am reading the nat backwards

Thanks!

Maxim Mogorean wrote:
object network CAM
 host 192.168.1.5
 nat (Inside,Outside) static interface service tcp 8080 80
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object CAM eq 8080

maxmogorean · ‎01-24-2014

You got it correctly, except port mapping.

You should read the nat rule by the following:

nat (real_ifc,mapped_ifc) static interface service {tcp | udp} real_port mapped_port

that is:

real_ifc = Inside

mapped_ifc = Outside

real_port = 8080 (behind real_ifc)

mapped_port = 80 (behind mapped_ifc)

You connect to the Outside interface IP address port 80 and get to the CAM behind the Inside port 8080

In the Outside access list you indicate real IP and real port, since access list is applied after NAT

Mitchell Tuckness · ‎01-24-2014

Hmm OK, I needed to enter on port 8080 and end on the camera on port 80. This because the ASDM interface is setup to allow HTTP connections from work so if I enter my public IP I will get the ASDM instead of the translated CAM port.

Mitchell Tuckness · ‎01-27-2014

Maxim,

Can I get one more clarification on the statement I should add.

The internal device in on 192.168.1.5 and is listening on port 80. I need to come into the ASA on port 8080 and then get natted to the 192.168.1.5 on port 80.

(INTERNET's Origination IP 98.22.xxx.xxx:8080) ------ (External IP 199.195.xxx.xxx) --ASA--- (Internal IP 10.10.1.1) ----- (External IP 10.10.1.2) ---2811--- (Internal IP VLAN 1 - Gateway 192.168.1.1) ---- (Device 192.168.1.5:80)

That is how the flow works right now.

SH RUN NAT:

ASA5510# sh run nat

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www 8080

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

!

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

SH RUN ACCESS-LISTS:

ASA5510# sh run access-list

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object WEBCAM-01 eq www

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Thanks!

Message was edited by: Mitchell Tuckness

Mitchell Tuckness · ‎01-27-2014

Oh and when I look at the ASDM transaction logs I see this:

6

Jan 27 2014

09:36:49

98.22.xxx.xxx

12768

192.168.1.5

80

Routing failed to locate next hop for TCP from Outside:98.22.xxx.xxx/12768 to Inside:192.168.1.5/80

6

Jan 27 2014

09:36:49

98.22.xxx.xxx

12768

192.168.1.5

80

Built inbound TCP connection 1001389 for Outside:98.22.xxx.xxx/12768 (98.22.xxx.xxx/12768) to Inside:192.168.1.5/80 (199.195.xxx.xxx/8080)

maxmogorean · ‎01-27-2014

Hi,

Correct

It seems that asa doesn't have route to the network 192.168.1.0.

Is this route present in the ASA routing table? # show route

Jouni Forss · ‎01-23-2014

Hi,

I don't know if there is really need to make the NAT rules any more complex by creating a configuration for each interface separately as a Section 2 Auto NAT. Not that this environment will probably have that much NAT configurations in the future to make it too complex but I prefer doing the Dynamic PAT with one command instead of configuring multiple "nat" configurations.

You could change the above Dynamic PAT configuration which I probably original suggested before you had added devices to network to the following

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

You can use the PAT-SOURCE "object-group" then to tell all the networks which require PAT translation to the external network. (by adding statements under it for the networks required)

- Jouni

maxmogorean · ‎01-23-2014

Yes Jouni, you are right!

No need to delete # object-group network PAT-SOURCE, # nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface, and to create object for each network. Just to add networks behind the LAN router into the PAT-SOURCE.