topic Re: Allowing Traffic through ASA without NAT in Network Security

Allowing Traffic through ASA without NAT

mcast999 — Tue, 04 Feb 2025 15:36:54 GMT

Hi!

I have around 20 local networks. Im posting a basic topology with only 4 networks. Each server represents a network.
Everything internally is working fine. Nothing will be going out to the internet. This is all within house. Now there is a
client that needs to access these networks. We only want to allow certain network "10.0.0.0" on the client side to access internal networks.
So we added a firewall between the client and our network. We as well will need to access networks on the client end.

Question is do I need NAT for this? And how do I configure the ASA to allow Outbound traffic into our networks?

Re: Allowing Traffic through ASA without NAT

Rob Ingram — Tue, 04 Feb 2025 15:43:33 GMT

@mcast999 no you don't need NAT assuming each network can route to each other (either statics or routing). If there are no other NAT rules on the ASA then you don't need to configure anything, traffic would just be routed. However if you do have other NAT rules, you may need to configure a NAT exemption rule, to ensure this traffic is not unintentially translated.

You would need to configure ACL inbound on the outside interface to communicates with the internal networks.

Re: Allowing Traffic through ASA without NAT

mcast999 — Tue, 04 Feb 2025 17:15:15 GMT

I put:

access-list OUT-IN extended permit ip 10.0.0.0 255.255.255.0 any

int g0/0 (outside int)

access-group OUT-IN in interface outside

Cannot ping.

i am inspecting icmp

Re: Allowing Traffic through ASA without NAT

Rob Ingram — Tue, 04 Feb 2025 17:30:13 GMT

@mcast999 run packet-tracer and provide the output, example:-

"packet-tracer input outside tcp 10.0.0.10 3000 10.1.1.11 80"

Re: Allowing Traffic through ASA without NAT

mcast999 — Tue, 04 Feb 2025 17:48:11 GMT

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.0.0.2 using egress ifc inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: EXTERNAL
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Allowing Traffic through ASA without NAT

Rob Ingram — Tue, 04 Feb 2025 17:52:47 GMT

@mcast999 re-run the packet-tracer but append "detailed" at the end and provide the full output (including the command you run) - ensure you don't use an IP address of the ASA itself, it can be any IP.

Re: Allowing Traffic through ASA without NAT

Joshqun Ismayilov — Tue, 04 Feb 2025 17:58:51 GMT

Hello @mcast999

You'll need to create an ACL
#access-list OUTBOUND_ACL extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0 (you can edit subnet for your case)

Apply ACL to the ASA Interface
#access-group OUTBOUND_ACL in interface outside

Configure Routing
#route inside 192.168.0.0 255.255.0.0 <next-hop-IP> / You can edit IP's

Allow Traffic from Internal Networks to Client
#access-list INBOUND_ACL extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.255.0

#access-group INBOUND_ACL in interface inside

Thanks !

Re: Allowing Traffic through ASA without NAT

mcast999 — Tue, 04 Feb 2025 18:00:22 GMT

packet-tracer input EXTERNAL tcp 100.1.1.1 30000 151.11.201.1 80 detail

100.1.1.1 is the external client router. 151.11.201.1 is any random IP. EXTERNAL is the nameif of the interface connected to the external client. I never used packet-tracer before so i apologize.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fef8f6304b0, priority=1, domain=permit, deny=false
hits=48, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=EXTERNAL, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.0.0.2 using egress ifc inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fef8ec60ea0, priority=501, domain=permit, deny=true
hits=2, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=100.1.1.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=EXTERNAL, output_ifc=any

Result:
input-interface: EXTERNAL
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Allowing Traffic through ASA without NAT

Rob Ingram — Tue, 04 Feb 2025 18:05:51 GMT

@mcast999 this is different to what was described in your initial post.

Is this a production firewall that is already in use? Or a new implementation?

Please provide your configuration.

Re: Allowing Traffic through ASA without NAT

mcast999 — Tue, 04 Feb 2025 18:18:12 GMT

That worked like a charm! thank you!

Re: Allowing Traffic through ASA without NAT

mcast999 — Tue, 04 Feb 2025 18:18:52 GMT

Rob thank you so much for your help. I got it working now. My access lists were wrong.

Re: Allowing Traffic through ASA without NAT

mcast999 — Tue, 04 Feb 2025 18:41:55 GMT

so the amount of acl's id have to do is alot. I was thinking can i NAT the outside int from the ASA and allow only 10.0.0.0 to access my internal networks?

I did:

object network EXTERNAL

subnet 10.0.0.0 255.255.255.252

object network INSIDE

192.168.0.0 255.255.255.252

nat(EXTERNAL,INSIDE) source static EXTERNAL INSIDE

but not working

Re: Allowing Traffic through ASA without NAT

Joshqun Ismayilov — Tue, 04 Feb 2025 18:54:23 GMT

You're trying to translate an entire external subnet to an internal subnet, which doesn't make sense.

Try this one /

#object network EXTERNAL
subnet 10.0.0.0 255.255.255.252

#object network INSIDE
subnet 192.168.0.0 255.255.255.0

#nat (EXTERNAL,INSIDE) source static EXTERNAL EXTERNAL destination static INSIDE INSIDE

#access-list OUTSIDE_TO_INSIDE extended permit ip 10.0.0.0 255.255.255.252 192.168.0.0 255.255.255.0
#access-group OUTSIDE_TO_INSIDE in interface EXTERNAL

Thanks!

Re: Allowing Traffic through ASA without NAT

mcast999 — Tue, 04 Feb 2025 19:39:47 GMT

Try your config and didnt work.

Re: Allowing Traffic through ASA without NAT

mcast999 — Tue, 04 Feb 2025 19:48:51 GMT

Im using a loopback interface from the external client trying to ping my inside networks. On wireshark the loopback address doesnt change to my inside address.

Re: Allowing Traffic through ASA without NAT

Joshqun Ismayilov — Wed, 05 Feb 2025 04:14:26 GMT

@mcast999 as loopback interfaces typically do not generate NAT traffic as they are not considered "routed" interfaces in many cases

object network EXTERNAL
subnet 10.0.0.0 255.255.255.252

object network INSIDE
subnet 192.168.0.0 255.255.255.0

object network NAT_INSIDE
subnet 192.168.0.0 255.255.255.0

object network NAT_EXTERNAL
subnet 10.0.0.0 255.255.255.252

nat (EXTERNAL,INSIDE) source dynamic NAT_EXTERNAL interface destination static NAT_INSIDE NAT_INSIDE

access-list OUTSIDE_TO_INSIDE extended permit ip 10.0.0.0 255.255.255.252 192.168.0.0 255.255.255.0
access-group OUTSIDE_TO_INSIDE in interface EXTERNAL

Try this one also please share

show xlate | include 10.0.0.

Thanks !