Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cisco ASA Firewall

Hello,

 

I have a Cisco ASA 9.1(3) 5545 device. A request from my customer required that a few servers in DMZ be accessible from outside. The details are as follows:

 

Servers in DMZ: 10.20.30.40-49

Public IP used for static NAT: x.y.111.1 - 10

 

The DMZ interface IP: 10.20.30.1

The Outside interface IP: a.b.c.d

 

The customer has 2 different Public IP pools. The Outside interface is configured with an IP from one of these pools (a.b.c.*/26). While in this request the customer has asked us to use the other pool (x.y.111.1-10).

 

I have configured the following on the firewall

 

1] Static NAT:

   object network 10.20.30.40

                nat (any , any) static x.y.111.1

 

and so on upto 10.20.30.49. I am skipping those for brevity.

 

2] ACL for inbound traffic from DMZ

   access-list Dmz_access_in extended permit tcp object int-10.20.30.40 any

   (Similar policies for other DMZ IPs)

 

3] ACL for inbound traffic from Outside

   access-list Outside_access_in extended permit tcp any object int-10.20.30.40 eq www

   access-list Outside_access_in extended permit tcp any object int-10.20.30.40 eq ftp

   (Similar policies for other inbound traffic on Outside interface)

 

This config is not working. Please suggest if I am missing something. Also could anyone explain how Proxy-ARP would work in this scenario if the firewall gets an ARP request for x.y.111.1-10 IPs from a Router?

Everyone's tags (1)
3 REPLIES

Hello, Those are a lot of

Hello,

 

Those are a lot of questions you have :)

 

First of all recommendations with the NAT

 

Be as specific as possible.

 

Never do a (any,any) translation that just makes the ARP process crazy in the ASA. You got to be as clean as possible. Be specific!

 

Remeber that the firewall is stateful so if you were pretending to allow the replies from the DMZ server to the outside clients on the Dmz_access_in access-list this is NOT required.

 

Why it's not working???

 

Because you want to use Proxy-ARP and the behavior of this feature has changed in the versions of the ASA 8.4 and higher where the ASA not longer reply to any IP not listed in one of it's interfaces network domains.

 

How to Fix it?

 

Enable the Proxy-ARP for this IPs.

 

Config te

arp permit non-connected

 

 

Regards,

 

jcarvaja
CCIE 42930, 2-CCNP,JNCIS-SEC
Looking for a quick remote support session? Contact us at inetworks.cr

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Thanks jcarvaja, I had

Thanks jcarvaja,
 

I had already configured the arp permit non-connected command. Even then it's not working. I'll try giving specific interfaces in the static NAT.

 

Meanwhile, do you think routing the x.y.111.1 - 10 on the internet router towards the firewall Outside interface help?

 

Thanks in advance

Hello, You already have the

Hello,

 

You already have the arp permit.

 

Well we would need to take captures to determine whether the ASA is responding to arp packets.

 

As for:

Meanwhile, do you think routing the x.y.111.1 - 10 on the internet router towards the firewall Outside interface help?

 

Yes, That would fix it.

 

 

Regards,

 

Jcarvaja

CCIE 42930, 2-CCNP,JNCIS-SEC
Looking for a quick remote support session? Contact us at inetworks.cr

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
77
Views
0
Helpful
3
Replies
CreatePlease to create content