topic For your 1st clarification, in Network Security

nat exempt and intervlan routing scenario in cisco ASA

sinyong.you — Tue, 12 Mar 2019 06:15:25 GMT

Hi, I am new to Cisco ASA. I have done some study on Cisco ASA recently and try to understand how it works.

The network diagram above shows the network architecture in my company (attachment). Both FW (5520, version 8.0) are configured with nat control and same-security-traffic permit inter-interface. I would like to ping from Device A to Device B (10.10.105.244 > 10.10.70.70/24).

At FW 02, i added an inbound ACL (10.10.105.0/24 > 10.10.70.0/24) due to the difference of security level between ingress and egress interface (SL 50 < SL 100). For the return traffic (10.10.70.0/24 > 10.10.105.0/24), I only need to add a nat exempt rules as I have configured with same-security-traffic permit inter-interface. Is my understanding correct?

At FW 01, I need to add an inbound ACL (10.10.70.0/24 > 10.10.105.244). Without the rule, my ping will be unsuccessful. Can I know why I need to add this inbound rule since same-security-traffic permit inter-interface is configured at FW 01? Can I know why I do not need to nat exempt the traffic (10.10.105.0/24 > 10.10.70.0/24)?

Sorry for lengthy explanation. I hope to get clarification and to ensure my understanding is correct.

Thanks all for the comment. Have a great day 🙂

Hi,For your first question:

Adeolu Owokade — Mon, 13 Jul 2015 14:49:22 GMT

Hi,

For your first question: "Can I know why I need to add this inbound rule since same-security-traffic permit inter-interface is configured at FW 01?"

It probably has to do with ICMP inspection. By default, ICMP traffic is not inspected by the ASA so the return traffic from Device B to Device A will be dropped at FW 01. One way is to enable ICMP inspection by adding it to the default MPF configuration on the ASA.

For your second question: "Can I know why I do not need to nat exempt the traffic (10.10.105.0/24 > 10.10.70.0/24)?"

NAT-control does not affect same security interfaces i.e. same security interfaces can communicate without NAT even if NAT-control is turned on (with some exceptions). Refer to this link for further information.

Hi Adeolu,Thank you for

sinyong.you — Tue, 14 Jul 2015 02:49:51 GMT

Hi Adeolu,

Thank you for helping to clarify. It helps a lot 🙂 .

Anyway, for the 1st question, you mentioned the icmp inspection. If i am not mistaken, the icmp inspection is enabled in the form of policy-map and applied to the nameif interface using service-policy, am i correct ? Without the icmp inspection, we need to apply the inbound ACL to allow the icmp traffic. Is this what you suggest?

I re-checked the configuration. I wonder does this config has anything to do with the 1st question. The inbound ACL is applied at the nameif UCS interface.

icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.10.105.0 255.255.255.0 VPN
icmp deny any VPN
icmp permit any UCS

## nameif VPN interface = 10.10.105.254
## nameif UCS interface = 10.10.69.1

Thank you and have a great day.

For your 1st clarification,

Adeolu Owokade — Tue, 14 Jul 2015 09:31:54 GMT

For your 1st clarification, yes you are right. However, rather than applying it per interface using the service-policy, you can just apply it on the default global policy that is configured on Cisco ASAs. You can find that default here. So if you want to add ICMP inspection to the default global policy, the following command will work:

policy-map global_policy
class inspection_default
inspect icmp

For the 2nd question, the "icmp [permit|deny]" applies to ICMP traffic terminating on the ASA itself e.g. pinging the ASA interface. For ICMP traffic through the ASA, we use normal ACLs. More information here.

Hi Adeolu,Thanks a lot for

sinyong.you — Tue, 14 Jul 2015 09:45:16 GMT

Hi Adeolu,

Thanks a lot for helping to answer my question.

Have a great day.