Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5500 question

Hello,

I'm not really a security guys, but I have a question about the ASA 5500. When you set an outside interface to "0" does that give an explicit deny to access traffic on the inside interface with 100?

If so; to give access do you use access lists to grant protocol/port access to the inside?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5500 question

6 REPLIES

Re: ASA 5500 question

New Member

Re: ASA 5500 question

Thank you sir.

Hall of Fame Super Blue

Re: ASA 5500 question

jcarrabine1 wrote:

Hello,

I'm not really a security guys, but I have a question about the ASA 5500. When you set an outside interface to "0" does that give an explicit deny to access traffic on the inside interface with 100?

If so; to give access do you use access lists to grant protocol/port access to the inside?

Just to add to Jorge's post.

You don't just need an acl to allow traffic from a lower to higher security interface. You also need to take care of NAT. You cannot use dynamic NAT but you do have 3 options -

1) turn off NAT

2) use a NAT exemption

3) use a static NAT translation

Jon

New Member

Re: ASA 5500 question

can you elaborate more? Obviously turning off NAT will prevent any outside address from aquiring an inside address, and I assume a NAT exemption is used if you have multiple locations and you just use the public address that your provider (or I guess a partners public address) gives you, and the last is basically the same. Am I seeing what you are saying right?

Hall of Fame Super Blue

Re: ASA 5500 question

jcarrabine1 wrote:

can you elaborate more? Obviously turning off NAT will prevent any outside address from aquiring an inside address, and I assume a NAT exemption is used if you have multiple locations and you just use the public address that your provider (or I guess a partners public address) gives you, and the last is basically the same. Am I seeing what you are saying right?

Jeff

If you disable nat-control then you do not need a NAT statement for traffic on a lower security interface to access a device on a higher security interface altho you still need an acl. To be honest i find the docs a little misleading on this one but i do remember when i first tested this on a v7.x pix that you didn't need any statics or nat exemptions just an acl. Quite a shock after pix v6.x code where you didn't have the option to turn off nat so you always had to setup some sort of NAT.

NAT exemptions and static NAT - it's important to understand with Cisco devices that even if you do not want to do NAT you still have to tell the firewall this with a NAT statement (assuming you haven't disabled NAT altogether - see above). This can be somewhat counterintuitive if you come from a different vendor firewall background. So when you do NAT on a Cisco device you may well be presenting the internal address as something else to another interface but even if you just want the internal addresses to be accessible to another lower security interface without changing the actual address you still need a NAT statement. I know, it really doesn't make a lot of sense sometimes


You do this by using either a static NAT or a NAT exemption. So lets say you want to allow access to internal addressing of 192.168.5.0/24 from the outside and from any address and you want the outside to be able to connect to these internal devices using the 192.168.5.x addressing. (Note in a real world internet scenario 192.168.5.x would have to be changed to something else to route on the internet but this is just an example)

static NAT

========

static (inside,outside) 192.168.5.0 192.168.5.0  netmask 255.255.255.0

NAT exemptiom

============

access-list NATEX permit ip any 192.168.5.0 255.255.255.0

nat (inside) 0 access-list NATEX

both of the above will allow any device on the outside to initiate a connection to a 192.168.5.x device on the inside. Obviously you still need to allow access with an acl as well.

Jon

Re: ASA 5500 question

As usual Jon ... oustanding answers my friend..

incidently  .. I was reading a post yesterday  in routing  you've answer along with Giuseppe  which I am now looking into EEM/tcl  ios feature, wanted to give it a 5 but could not find a way..  happy holidays ..!

Jorge

PS: Now I see ratings  but pressed 4 instead of 5 on this one... my error

286
Views
4
Helpful
6
Replies
CreatePlease to create content