09-01-2012 10:04 PM - edited 02-21-2020 04:43 AM
I am using static NAT (nat (inside,outside) static interface) between a single host on the inside to the DHCP address being used on the outside interface. The inside interface has security-level of 100, and the outside has security-level of 0. My understanding was that for stateful connections, I shouldn't need any ACLs. However, nothing works unless I set up an ACL (for example, right now I have a global allow any rule). What am I missing?
Solved! Go to Solution.
09-03-2012 07:12 PM
Eventhough you have them "inactive", but you still have the access-list applied on the interface which by default will have the "deny ip any any" implicitly at the end of the access-list eventhough you have the existing line "inactive".
To remove the access-list from the inside interface completely, you would need to remove the following line:
access-group inside_access_out in interface inside
09-03-2012 06:19 AM
For traffic from high security level towards low security level, you don't need any access-list configured. However, if you already have an access-list applied to inside (high security interface) then you would need to explicitly allow traffic that you would like to allow. If you have no access-list applied to the inside interface, then by default it will allow those traffic.
Pls share your existing config and advise what you are trying to access to and from.
09-03-2012 08:58 AM
Thanks for your reply. I have included my config below. You will see some ACLs that I created that are now inactive -- when they were active, everything worked. I replaced them with the single global ACL for convenience right now while I sort everything out. Even without any ACLs defined, I was still seeing blocked traffic. For example, from the inside interface if I tried to browse to an IP on the internet, the traffic was being blocked (either outbound or return, but I thought that it should allow the return traffic automatically once it allows the outbound traffic).
: Saved
: Written by enable_15 at 10:48:15.227 CDT Mon Sep 3 2012
!
ASA Version 8.4(4)1
!
hostname asa5505
domain-name foo.local
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
switchport access vlan 50
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan10
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan50
no forward interface Vlan2
nameif management
security-level 0
ip address 192.168.1.173 255.255.255.0
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name foo.local
same-security-traffic permit inter-interface
object network NAT_ME
host 10.0.0.10
access-list outside_access_in extended permit tcp any host 10.0.0.10 inactive
access-list outside_access_in extended permit icmp any host 10.0.0.10 inactive
access-list outside_access_in extended permit udp any host 10.0.0.10 inactive
access-list inside_access_out extended permit tcp host 10.0.0.10 any inactive
access-list inside_access_out extended permit udp host 10.0.0.10 any inactive
access-list inside_access_out extended permit icmp host 10.0.0.10 any inactive
access-list global_access extended permit ip any any
pager lines 24
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
!
object network NAT_ME
nat (inside,outside) static interface
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username XXX password XXX encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:5d4e284447b2a62d5b5c1f77047194d8
: end
09-03-2012 07:12 PM
Eventhough you have them "inactive", but you still have the access-list applied on the interface which by default will have the "deny ip any any" implicitly at the end of the access-list eventhough you have the existing line "inactive".
To remove the access-list from the inside interface completely, you would need to remove the following line:
access-group inside_access_out in interface inside
09-03-2012 08:07 PM
Jennifer, thanks for pointing that out. At one point, I didn't have the access-group stuff in there at all, and things weren't working...but at that point, I must have had another error that I have since corrected. Once I remove those lines, everything is working as expected. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide