Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Natting in ASA 5512X

Hi!

I am actually replacing a PIX 515E unit with an ASA 5512X having version 8.6(1)2.

Starting from version 8.3 up, there is a difference in the way natting is done compared to previous ASA versions (8.2 and down) and PIX.

Scenario is as follows:

  • 1 Cisco router for Internet connected to 1 ASA 5512X with three networks (inside, dmz, outside)
  • PC1 found on inside zone must access the Internet in outside zone
  • External emails come from the Internet to the mail server in the inside zone
  • External users access the web server in the dmz

I have configured the ASA 5512X and router but I want to be sure that I have it in the correct way.

Please see the attached topology and configurations of router and ASA.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Natting in ASA 5512X

Hello,

Great job with the post To the point and clear.

That being said you almost have it right.

The problem is on the ACL syntax

ChangeThis

access-list OutIn extended permit tcp any host 10.0.0.60 eq smtp

access-list OutIn extended permit tcp any host 10.0.0.70 eq www

To this

access-list OutIn extended permit tcp any host 172.16.1.70 eq 80

access-list OutIn extended permit tcp any host 192.168.1.60 eq 25

Also check this

On the DMZ you are allowing the Webserver to only access HTTP services on the outside (This will need DNS included if you do not have a DNS server on the DMZ) so Add

accesslist DMZIN permit udp host 172.16.1.70 eq 53

Note: This if the webserver will access websites.

Starting on 8.3 the ASA now performs the security checks on a different order

  • First the NAT
  • Then the ACL

This is why you point to the private IP address on the ACL.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
3 REPLIES

Natting in ASA 5512X

Hello,

Great job with the post To the point and clear.

That being said you almost have it right.

The problem is on the ACL syntax

ChangeThis

access-list OutIn extended permit tcp any host 10.0.0.60 eq smtp

access-list OutIn extended permit tcp any host 10.0.0.70 eq www

To this

access-list OutIn extended permit tcp any host 172.16.1.70 eq 80

access-list OutIn extended permit tcp any host 192.168.1.60 eq 25

Also check this

On the DMZ you are allowing the Webserver to only access HTTP services on the outside (This will need DNS included if you do not have a DNS server on the DMZ) so Add

accesslist DMZIN permit udp host 172.16.1.70 eq 53

Note: This if the webserver will access websites.

Starting on 8.3 the ASA now performs the security checks on a different order

  • First the NAT
  • Then the ACL

This is why you point to the private IP address on the ACL.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Natting in ASA 5512X

Dear Julio,

Thanks for the update.
Will edit the ACLs accordingly.

Regards,

Alvin

Sent from Cisco Technical Support iPhone App

Re: Natting in ASA 5512X

Hey Alvin,

My pleasure man, Remember to rate all o fthe helpful posts

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
200
Views
0
Helpful
3
Replies