topic Hello, You already have the in Network Security

Cisco ASA Firewall

svchougule — Tue, 12 Mar 2019 04:30:50 GMT

Hello,

I have a Cisco ASA 9.1(3) 5545 device. A request from my customer required that a few servers in DMZ be accessible from outside. The details are as follows:

Servers in DMZ: 10.20.30.40-49

Public IP used for static NAT: x.y.111.1 - 10

The DMZ interface IP: 10.20.30.1

The Outside interface IP: a.b.c.d

The customer has 2 different Public IP pools. The Outside interface is configured with an IP from one of these pools (a.b.c.*/26). While in this request the customer has asked us to use the other pool (x.y.111.1-10).

I have configured the following on the firewall

1] Static NAT:

object network 10.20.30.40

nat (any , any) static x.y.111.1

and so on upto 10.20.30.49. I am skipping those for brevity.

2] ACL for inbound traffic from DMZ

access-list Dmz_access_in extended permit tcp object int-10.20.30.40 any

(Similar policies for other DMZ IPs)

3] ACL for inbound traffic from Outside

access-list Outside_access_in extended permit tcp any object int-10.20.30.40 eq www

access-list Outside_access_in extended permit tcp any object int-10.20.30.40 eq ftp

(Similar policies for other inbound traffic on Outside interface)

This config is not working. Please suggest if I am missing something. Also could anyone explain how Proxy-ARP would work in this scenario if the firewall gets an ARP request for x.y.111.1-10 IPs from a Router?

Hello, Those are a lot of

Julio Carvajal — Tue, 22 Jul 2014 05:01:03 GMT

Hello,

Those are a lot of questions you have 🙂

First of all recommendations with the NAT

Be as specific as possible.

Never do a (any,any) translation that just makes the ARP process crazy in the ASA. You got to be as clean as possible. Be specific!

Remeber that the firewall is stateful so if you were pretending to allow the replies from the DMZ server to the outside clients on the Dmz_access_in access-list this is NOT required.

Why it's not working???

Because you want to use Proxy-ARP and the behavior of this feature has changed in the versions of the ASA 8.4 and higher where the ASA not longer reply to any IP not listed in one of it's interfaces network domains.

How to Fix it?

Enable the Proxy-ARP for this IPs.

Config te

arp permit non-connected

Regards,

jcarvaja
CCIE 42930, 2-CCNP,JNCIS-SEC
Looking for a quick remote support session? Contact us at inetworks.cr

Thanks jcarvaja, I had

svchougule — Tue, 22 Jul 2014 06:13:52 GMT

Thanks jcarvaja,

I had already configured the arp permit non-connected command. Even then it's not working. I'll try giving specific interfaces in the static NAT.

Meanwhile, do you think routing the x.y.111.1 - 10 on the internet router towards the firewall Outside interface help?

Thanks in advance

Hello, You already have the

Julio Carvajal — Tue, 22 Jul 2014 06:20:24 GMT

Hello,

You already have the arp permit.

Well we would need to take captures to determine whether the ASA is responding to arp packets.

As for:

Meanwhile, do you think routing the x.y.111.1 - 10 on the internet router towards the firewall Outside interface help?

Yes, That would fix it.

Regards,

Jcarvaja

CCIE 42930, 2-CCNP,JNCIS-SEC
Looking for a quick remote support session? Contact us at inetworks.cr