Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
0
Helpful
3
Replies

Cisco ASA Firewall

svchougule
Level 1
Level 1

‎07-21-2014 07:54 PM - edited ‎03-11-2019 09:30 PM

Hello,

 

I have a Cisco ASA 9.1(3) 5545 device. A request from my customer required that a few servers in DMZ be accessible from outside. The details are as follows:

 

Servers in DMZ: 10.20.30.40-49

Public IP used for static NAT: x.y.111.1 - 10

 

The DMZ interface IP: 10.20.30.1

The Outside interface IP: a.b.c.d

 

The customer has 2 different Public IP pools. The Outside interface is configured with an IP from one of these pools (a.b.c.*/26). While in this request the customer has asked us to use the other pool (x.y.111.1-10).

 

I have configured the following on the firewall

 

1] Static NAT:

   object network 10.20.30.40

                nat (any , any) static x.y.111.1

 

and so on upto 10.20.30.49. I am skipping those for brevity.

 

2] ACL for inbound traffic from DMZ

   access-list Dmz_access_in extended permit tcp object int-10.20.30.40 any

   (Similar policies for other DMZ IPs)

 

3] ACL for inbound traffic from Outside

   access-list Outside_access_in extended permit tcp any object int-10.20.30.40 eq www

   access-list Outside_access_in extended permit tcp any object int-10.20.30.40 eq ftp

   (Similar policies for other inbound traffic on Outside interface)

 

This config is not working. Please suggest if I am missing something. Also could anyone explain how Proxy-ARP would work in this scenario if the firewall gets an ARP request for x.y.111.1-10 IPs from a Router?

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎07-21-2014 10:01 PM

Hello,

 

Those are a lot of questions you have :)

 

First of all recommendations with the NAT

 

Be as specific as possible.

 

Never do a (any,any) translation that just makes the ARP process crazy in the ASA. You got to be as clean as possible. Be specific!

 

Remeber that the firewall is stateful so if you were pretending to allow the replies from the DMZ server to the outside clients on the Dmz_access_in access-list this is NOT required.

 

Why it's not working???

 

Because you want to use Proxy-ARP and the behavior of this feature has changed in the versions of the ASA 8.4 and higher where the ASA not longer reply to any IP not listed in one of it's interfaces network domains.

 

How to Fix it?

 

Enable the Proxy-ARP for this IPs.

 

Config te

arp permit non-connected

 

 

Regards,

 

jcarvaja
CCIE 42930, 2-CCNP,JNCIS-SEC
Looking for a quick remote support session? Contact us at inetworks.cr

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

svchougule
Level 1
Level 1
In response to Julio Carvajal

‎07-21-2014 11:13 PM

Thanks jcarvaja,
 

I had already configured the arp permit non-connected command. Even then it's not working. I'll try giving specific interfaces in the static NAT.

 

Meanwhile, do you think routing the x.y.111.1 - 10 on the internet router towards the firewall Outside interface help?

 

Thanks in advance

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to svchougule

‎07-21-2014 11:20 PM

Hello,

 

You already have the arp permit.

 

Well we would need to take captures to determine whether the ASA is responding to arp packets.

 

As for:

Meanwhile, do you think routing the x.y.111.1 - 10 on the internet router towards the firewall Outside interface help?

 

Yes, That would fix it.

 

 

Regards,

 

Jcarvaja

CCIE 42930, 2-CCNP,JNCIS-SEC
Looking for a quick remote support session? Contact us at inetworks.cr

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card