ASA identity NAT between Vlan's problem

tf2-conky · ‎03-03-2009

Hi

I'm having trouble trying allowing specific access i.e smpt, http from clients in vlan 1 to servers in vlan 2.

* Both Vlan's access the internet with Dynamic NAT.

* Both Vlan's currently use the same security level

* nat-control is enabled with "same-security-traffic permit inter-interface"

I can get both vlan's happily talking to each other, if I use static identity NAT, or NAT exemption but I want to be more specific and use static identity policy NAT to only include specific ports(minimum access).

i.e Clients in Vlan1 only able to talk to mail servers in Vlan2

Vlan1 = 192.168.1.0/24 clients

Vlan2 = 192.168.2.0/24 servers smtp

access-list BLAH extended permit tcp host 192.168.1.1 host 192.168.2.1 eq 25

static (vlan1_inside,vlan2_inside) 192.168.1.1 access-list BLAH

access-list BLAH extended permit tcp host 192.168.2.1 host 192.168.1.1

static (vlan2_inside,vlan1_inside) 192.168.2.1 access-list BLAH

Perhaps I'm going completely down the wrong track here, and should just be using any-any identity NAT between the Vlan's but instead with a DMZ, and appropriate access-lists?

Any advice would be greatly appreciated

andrew.prince · ‎03-04-2009

I would use nat exemption for this, then figure out specific 1:1 later.

HTH>

tf2-conky · ‎03-04-2009

So NAT exemption, and an inbound ACL on the server VLAN to allow specific access?

Does the ACL allow established traffic back in the interface. (Being new to the ASA I'm really only used to dealing with linux firewalls - connection tracking), or do I need to use a higher security level with a DMZ?

andrew.prince · ‎03-04-2009

You stated in your original post "Both Vlan's currently use the same security level"

Fact - traffic can pass from two interfaces with the same security-level without the need to have an ACL.

HTH>

tf2-conky · ‎03-04-2009

Yes that much is obvious.

Perhaps I should clarify.

I want vlan1 to be able to talk to vlan2 on only specific ports.

I want vlan2 to be able to talk to vlan1 with no restrictions, hence the question about "established"

Can the ASA do this(like I can with a linux firewall)?

andrew.prince · ‎03-04-2009

Well if it's that obvious - then you have answered you own question.

I suggest you read the ASA data sheets to see if the ASA is a suitable replacement to the Linux Firewall.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

tf2-conky · ‎03-04-2009

That's not the question I'm asking here. This is not a linux firewall replacement. I'm seeking a solution, or advice for the scenario from my previous post.

Unfortunately I was not involved in procuring the ASA. The guy who did is no longer here, and I'm now tasked deploying this.

Thanks anyway.

jan.nielsen · ‎03-04-2009

First off, i would seperate your nat setup from your filtering acl's, this is two different things in an ASA. So setup your static nat or acl based nat exemption rules on IP only, not tcp/udp or whatever. Then do only incoming acl's on both interfaces, the one on vlan 1 should then allow the specific smtp services like this and probably internet as well :

line 1 allow smtp to vlan 2

line 2 deny all other traffic to vlan 2

line 3 permit any other traffic (internet)

access-list acl_vlan1_in extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq smtp

access-list acl_vlan1_in extended deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_vlan1_in extended permit ip any any

then vlan 2 should be allowed to start any connection it wants towards vlan 1 and internet :

access-list acl_vlan2_in extended permit ip any any