topic Re: ASA Interface to Interface in Network Security

ASA Interface to Interface

Skawilly1 — Fri, 21 Feb 2020 16:14:28 GMT

I have an ASA 5512 with 9.2 as its image.

I am wondering, even from just interface to interface, are these NAT'd?

I have my Inside interface LAN of 172.16.0.0/16 on port 1, Security Level of 100 and my DMZ interface LAN 10.10.10.0 /24 on port 2, Security Level of 50. is port 1 NAT'd to and from port 2?

EDIT: If they are indeed NAT'd to each other, what is the way around this? How could I see this in what troubleshooting/diagnostics tool?

Re: ASA Interface to Interface

Ajay Saini — Fri, 14 Sep 2018 03:52:27 GMT

Hello,

Do you wish to know if the NAT is configured for access between inside and dmz interface?

If yes, then you can run some commands to see what NAT is being used for communication. FYI, since 8.3 onwards, NAT-control feature has been taken off, which means that hosts behind any 2 interfaces can communicate with each other even without NAT provided access rules are configured properly.

show run nat

packet-tracer command is one feature where you can see all the process flow the ASA will follow for processing the packet including the NAT:

https://community.cisco.com/t5/security-documents/troubleshooting-access-problems-using-packet-tracer/ta-p/3114976

Hope it answered your query.

HTH

Re: ASA Interface to Interface

gbekmezi-DD — Fri, 14 Sep 2018 16:53:44 GMT

Also, security levels only matter if you don’t have an access-list assigned to the interface.

Re: ASA Interface to Interface

mkazam001 — Sun, 04 Nov 2018 00:43:43 GMT

to add to this - sh nat would show the order of nat rules and you could ping from lan to dmz & do sh xlate on the asa - to see if source address is translated.

hope that helps

azam