Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5510 - NATted trafic and access-lists

Hello,

My customer needs to connect one servers system in particular DMZ, with other systems in corporate LAN. The requirement is that all LAN servers/workstations can reach the DMZ server over particular ports. In the opposige direction, this DMZ server, should be able to initiate traffic to some servers in corporate LAN. Also, the requirement is that this DMZ server can reach Internet, over the LAN interface, as this DMZ should be made on ASA FW, that protect only that server. The server IP address is (example): 192.168.2.100

For this task, we used ASA5510. I configured two interfaces, in a standard manner:

Phase1:

interface GigabitEthernet0/0

nameif custdmz2

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif custlan

security-level 100

ip address 10.164.0.60 255.255.255.0

!

As custlan interface is on higher sec level, it can reach the custdmz2 network. To filter the traffic to only allowed ports, I added following access-list:

access-list custlan_to_custdmz2 extended permit tcp host 192.168.2.100 any eq 709

access-list custlan_to_custdmz2 extended permit tcp host 192.168.2.100 any eq 710

access-list custlan_to_custdmz2 extended permit tcp host 192.168.2.100 any eq 829

access-group custlan_to_custdmz2 in interface custlan

To be able to initiate web traffic from DMZ server to some lan server, I added the following:

access-list custdmz2_to_custlan extended permit tcp host 192.168.2.100 any eq www

access-group custdmz2_to_custlan in interface custdmz2

Phase II:

At this point, I have all traffic working as expected, without traffic from custdmz2 to Internet, that should go over custlan interface (this ASA FW is not directly connected to Internet, but custlan interface is in LAN segment that is routed to other firewall that is the gateway to Internet.

OK, to be able to route the traffic to Internet GW, I need to add the route to the default gateway:

route custlan 0.0.0.0 0.0.0.0 10.164.0.1 1

Then, to be able to resolve DNS from custdmz2, I need the following:

access-list custdmz2_to_custlan extended permit udp any any eq domain

access-list custdmz2_to_custlan extended permit tcp any any eq domain

After that, what is needed is to configure corporate gateway system (firewall at 10.164.0.1) to route correctly traffic to subnet 192.168.2.0 (i.e. to zone custdmz2) and to allow traffic from that zone to Internet. And that's it.

Phase 3:

But, customer asked me to configure our firewall in different way, in order not to change anything on main corporate firewall (gateway to the Internet). So, forget the Phase2!

What I can do, is to NAT traffic from custdmz2 to custlan zone, and that way, to get the traffic to the Internet, as custlan interface is already in a subnet that is allowed to pass traffic to the Internet. In order to do that, I can add the following:

nat (custdmz2) 1 192.168.2.0 255.255.255.0 outside

global (custlan) 1 interface

OK, now I have traffic from custdmz2 server to the Internet, without need to change configuration on the main corporate firewall system (10.164.0.1). But, at this moment, I am loosing traffic from custlan to custdmz2 server, due to NAT traffic.

I need help. How to retain all traffic rules from custlan to custdmz2, and from custdmz2 to custlan, but also to have traffic from custdmz2 to Internet, over custlan interface?

1 REPLY
Cisco Employee

Re: ASA5510 - NATted trafic and access-lists

Milan,

1. I see a problem with phase 1.

I see a problem with this below acl source and destination are flipped.

access-list custlan_to_custdmz2 extended permit tcp host 192.168.2.100 any eq 709

access-list custlan_to_custdmz2 extended permit tcp host 192.168.2.100 any eq 710

access-list custlan_to_custdmz2 extended permit tcp host 192.168.2.100 any eq 829

access-group custlan_to_custdmz2 in interface custlan

2. Next, if you are going to ask us to forget phase 2 why bother to type it all out?

So you are saying that internet is on the inside of this firewall. correct? Doesn't sound like a good design.

3. This phase 3 config will not work. Pls. address the design again. When you hide a bunch of hosts in custdmz behind one IP address there is no way you can restrict access to those with the access list that you have applied on the custlan interface.

My suggestion for you would be to be precise next time you post your question. Add a simple toplogy with your question. This will get an immediate response to your posts.

402
Views
0
Helpful
1
Replies
CreatePlease to create content