Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA access rule relative to port forwarding

hi all ,

just simple question

assume i have    inside==ASA====outside========intnet

assume outside public ip is x.x.x.x

asusme i made a portforward on outside interface ,

assume my lan is 10.10.10.0/24

assume to reach my server 10.10.10.2 i need to go x.x.x.x:5050

the question is about the access rule that need to be allow the outside traffic that comes inside .

why i need to allow destination to ip 10.10.10.2 in the access rule ???

shouldnt we allow the access to x.x.x.x:5050 ip ???

question agian ,

why we need access rule that allow traffic that enter form outside to inside , and dont need rule to allow traffic enter outside  ip itself ?

regards

1 ACCEPTED SOLUTION

Accepted Solutions

ASA access rule relative to port forwarding

Access to the ASA is filtered by different mechanisms such as:

the http command, SSH command,. Telnet command, icmp command.

No need for an ACL as traffic will reach the outside interface, but before getting to the ASA procesor will get dropped.

Again U are talking about traffic TO the firewall not Through the firewall as the packets are not going to the inside. Are done on the outside interface.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
18 REPLIES

ASA access rule relative to port forwarding

Hello,

Well thing is that after 8.3 the way the ASA Processes packets is different.

NAT is checked before than the ACL for inbound packets.

So packet gets unt-translated first and then the ASA check the ACL.

Before 8.3 was backwards NAT first and ACL then.

Clear enough?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA access rule relative to port forwarding

well ,

you gave me 90 % of answer

but stilll 10 %

you said that nat 1st , then the acl verification ,

now i  understand it ,

but ,

wt about the trafic going just to outside interface ??

wt about traffic that ping outside interface ??

why it succeed ???

i tested it and no acl that allow traffic to outside interface itself , i find it allowing ???!!!!!!!!

i must be something not need to be uinderstood

how that happend ?

ASA access rule relative to port forwarding

From In to Out.

Well, traffic from in to out goes from higher to lower so no need for ACL.

wt about traffic that ping outside interface ??

Traffic generated from the ASA not filtered by ACL.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA access rule relative to port forwarding

hi ,

i mean that i can ping the interface ip of the outside from the internet

not making ping from the asa itself

regards

ASA access rule relative to port forwarding

Hello,

Well that traffic does not go through the firewall so those statements are say are not taken into consideration.

Access to the ASA is enabled by default for ICMP.

You can disable it with an ACL or with the global ICMP command.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA access rule relative to port forwarding

why ?

why that traffic  dont go throuh acl firewall ??

its entering the outside interface ?!!!!!!!!!!!!!!!!!!!!

ASA access rule relative to port forwarding

Hello,

Please be a little more clear with the traffic in place.

Where is being Innitiated and where is going?

Try to use a diagram cause I was think on my last message about traffic from an internet user destined to the Outside interface IP address.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA access rule relative to port forwarding

====INSIIDE-------ASA---------OUTSIDE-=====

assume i enalbed http and https on outside interface

why i can access the https web page of asa without acl allowing for traffic entering  outside interface ??????

why ping intering outside interface  allowed ???

outside is with security level 0 , why we can acces it  ??

my question here is clear , im not talking about traffic from out to in ,

im talking about traffic  from out and just going to outside interface itself

regards

ASA access rule relative to port forwarding

Access to the ASA is filtered by different mechanisms such as:

the http command, SSH command,. Telnet command, icmp command.

No need for an ACL as traffic will reach the outside interface, but before getting to the ASA procesor will get dropped.

Again U are talking about traffic TO the firewall not Through the firewall as the packets are not going to the inside. Are done on the outside interface.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA access rule relative to port forwarding

so ,

in summary

by default ,

the asa will allow access to any interface as that traffic going to interface itself ( not from zone to another)

this rule is not macthed ny implicet deny in the asa.

agian , here im talking about the default behaviuor.

so

it will not run through the  firewall  , but we can deny that by adding acl to interface .

thats why the firewall interface of asa we can access it from outside and can ping it

plz correct if there is wrong

Re: ASA access rule relative to port forwarding

Well just ICMP.and denying via ACL is not possible( use icmp deny any outside)

Any other traffic is blocked!

You cannot SSH to the ASA if the firewall is not configured for it.

If you are looking for ASA Training contact me at jcarvaja@laguiadelnetworking.com


Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA access rule relative to port forwarding

hi .

icmp is fine , cause i assumed it as a new router , the new router when i ping it , it reply , but the new router need to be confiogured so that support http , telnet ssh,

did u mean that ??

or

rather than above u need to play with access rule and make acl on the outside that allow traffic from internet to outside internet that request (telmet ot http ot ssh ) ?

""You cannot SSH to the ASA if the firewall is not configured for it."""

you mean that i need to edit access rules for  asa access asdm ??

ASA access rule relative to port forwarding

What do you mean the new router?

For SSH.TELNET,HTTPS access you need to configure the access via the commands

http server enable

http 0 0 inside

ssh 0 0 inside

telnet 0 0 inside

Those as examples

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA access rule relative to port forwarding

yes,

i agree with you

but i dont need an  access list to allow traffic entering the public ip for telnet ssh ...etc

that wt i mean

regards

ASA access rule relative to port forwarding

For traffic to the ASA interface No.

For SSH, Telnet or any other device behind the ASA: Yes.

Please rate all of the posts that you think were useful for you

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: ASA access rule relative to port forwarding

well ,

at this point , its very fine

the question is why i cant login to the asa asdm remotely from the outside interface ???

i did config so that it support http

http server enable 65000

http 10.66.12.0 255.255.255.0 ins

http 0.0.0.0 0.0.0.0 outside

also ,

i can see the https webpage of asa asdm

but i cant login from the asdm itself !!

want to tell you that i chanfes the port of asa to 65000

here is when i put the public ip x.x.x.x:65000 on page

im being redirected to

https://x.x.x.x:65000/admin/public/index.html

but why on the asdm i cant login ??

it says ""connecting ""  and not logged !!!

i tried to put the ip in the asdm with x.x.x.x & x.x.x.x:65000 

but still no luck

ASA access rule relative to port forwarding

Hello

can you share

show run asdm

show run http

show run aaa

show run all ssl

show flash | include asdm

show run webvpn

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: ASA access rule relative to port forwarding

hi , currently i dont have an access on asa ,

but i have the sh run file

here wt u need

============

asdm image disk0:/asdm-645.bin

========================

aaa authentication http console LOCAL

http server enable 65000

http 10.66.12.0 255.255.255.0 ins

http 0.0.0.0 0.0.0.0 outside

destination transport-method http

==============================

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

=============================

agian , i can log by vpn , but still cant access asa asdm from vpn !!!!

458
Views
20
Helpful
18
Replies