topic Re: Allow Specific Access Across Interfaces ASA 5510 in Network Security

Allow Specific Access Across Interfaces ASA 5510

Mitchell Tuckness — Tue, 12 Mar 2019 03:31:33 GMT

Hi All,

In my quest to learn Cisco IOS and devices, I need some help in traffic shaping, or access-lists, specifically allowing traffic between internal interfaces on the ASA.

I have an ASA 5510:

LAN/WAN/DMZ labled ports E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).

Attached to port E0/0 is a 2811 Router

Attached to port E0/1 is the Internet (Outside)

Attached to port E0/2 is a 2821

(I will be adding a 3745 for VOIP) port E0/3 but it hasn't arrived yet.

I want to allow traffic between the 2811 and the 2821 routers so that devices on the networks behind them can talk to each other.

I have specified specif subnets between the ASA and the Routers because I want to learn how to shape traffic behind the routers as well as on the ASA. So behind the routers I have different VLANS, but I am not restricting access between them, yet, at least I don't think I am. But as it is, devices behind the 2821 can't access the DNS / DOMAIN SERVER which is behind the 2811. Right now I am having the routers supply DHCP, which is working. Currently devices behind the 2821 router - 3560 switch cannot access the domain server, primary dns server.

How do I setup the ASA to allow traffic to flow between the two routers and their VLANS?

Here are the configs of each of the devices and I have also included my switch configs, incase something needs to be set on them. I have only redacted the passwords and parts of the external IP's. I appreciate the help in what statements to create and on which devices.

I think it is best I put links to the text files here.

Thank you!

Allow Specific Access Across Interfaces ASA 5510

Collin Clark — Fri, 17 Jan 2014 14:39:45 GMT

You'll need to add same-security-traffic permit inter-interface in the ASA. You'll also want to create ACL's for each interface and apply them for filtering.

Re: Allow Specific Access Across Interfaces ASA 5510

Mitchell Tuckness — Fri, 17 Jan 2014 19:53:00 GMT

Ah, I didn't know of that command. Can you give me an example? Say to allow devices one and behind the 2821 access to the domain server behind the 2811 at IP address 192.168.1.2?

I am still very unsure how the access lists work and would like to see one setu pproperly so I can see one in my inviroment.

Thanks!

Allow Specific Access Across Interfaces ASA 5510

Mitchell Tuckness — Sat, 18 Jan 2014 22:09:41 GMT

Would anyone be able to give me some examples of how to setup the access-lists so that devices behind the 2821 can access the domain server behind the 2811 at att ress 192.168.1.2?

I would appreciate it. I am still trying to learn the access lists and the way I am trying to setup my network, I know I would also need allow the traffic on the ASA but also setup routes on the 2821 and 2811 as well correct?

Thanks, I appreciate the help. I am trying to learn this as fast as I can but it helps to see a working statement for my enviroment so I know how traffic flows.

Allow Specific Access Across Interfaces ASA 5510

Collin Clark — Sat, 18 Jan 2014 22:17:57 GMT

A diagram would help.

If you wanted vlan 10 access through the ASA

access-list dmz-access extended permit ip 168.162.10.0 255.255.255.0 any

or to filter more granually

access-list dmz-access extended permit tcp host 192.162.1.100 host 10.10.1.1 eq 445

Allow Specific Access Across Interfaces ASA 5510

Mitchell Tuckness — Sun, 19 Jan 2014 06:14:51 GMT

I am looking to access the DC from the 128.162.1.0/24 which is behind the 2821. The DC is 192.168.1.2 and it is behind the 2811.

Allow Specific Access Across Interfaces ASA 5510

Collin Clark — Sun, 19 Jan 2014 14:10:13 GMT

Thanks for the diagram.

access-list dmz-access remark Permit all traffic to NAS

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.10

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq 53

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Does this help?

Allow Specific Access Across Interfaces ASA 5510

Mitchell Tuckness — Tue, 21 Jan 2014 00:13:37 GMT

I entered all those commands and yet I still cannot access the DC or DNS. none of the clients behind the 2821 (128.162.1.0/24) are able to resolve DNS nor ping the DC that the access lists were suposed to have allowed. Am I supposed to put these commands on the ASA or the 2811 router?

Thanks.

Allow Specific Access Across Interfaces ASA 5510

metuckness — Tue, 21 Jan 2014 17:14:02 GMT

Should I restructure this network? Since I can't seem to get traffic to pass across ports, I am not sure if these devices will support that or not. I was told I should just put everything behind the ASA and then let the routers route and let the ASA be just a firewall. Seperating all my traffic by VLANS.

My thinking was this would be better off this way but I guess not, I can't seem to get any traffic from the DMZ to the Inside network.

Allow Specific Access Across Interfaces ASA 5510

maxmogorean — Wed, 22 Jan 2014 20:57:30 GMT

Both routers' interfaces looking to ASA have PAT configured. Because of this hosts behind one router will not reach any host behind the other one.

I think that there is not need to PAT traffic on the routers. Traffic between networks behind the routers should be simply routed by routers and ASA.

You only need to PAT traffic leaving the ASA outward the Internet.

Allow Specific Access Across Interfaces ASA 5510

maxmogorean — Wed, 22 Jan 2014 21:20:28 GMT

I would correct myself. As I said you do not need to PAT traffic leaving both routers, but only traffic arriving to the LAN interface and leaving the ASA should be translated. Addresses from behind the DMZ interface should not be translated when leaving the ASA.

Generealy speaking you have NAT issue.

Allow Specific Access Across Interfaces ASA 5510

metuckness — Wed, 22 Jan 2014 21:57:38 GMT

OK, so I have to remove the PAT statements and setup static routes for each of the routers behind the ASA? Can you give me an example so I can get an idea of how that works, if you would. I would appreciate it. Boy is this tough when you're first trying to get a handle on it!

Thanks again for the help.

Mitch

Re: Allow Specific Access Across Interfaces ASA 5510

maxmogorean — Thu, 23 Jan 2014 07:51:14 GMT

You should delete the following statements on both routers:
- # ip nat inside source ... overload
- for each interface # ip nat inside/outside, if they have it configured.

Remove from rip advertisments of networks which are not directly connected:
- 2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
- 2811: 199.195.xxx.0
- ASA: 128.0.0.0

No routes should be added to the routers, since there is the default one, directing to ASA.

Verify routing tables on the routers and ASA.

On ASA:

- remove:
# object-group network PAT-SOURCE
# nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

- create objects of the networks behind the LAN router and enable dynamic NAT:
# object network
subnet
nat (Inside,Outside) dynamic interface

- review remained NAT rules.

- configure/adjust ingress access lists on the interfaces. Don't forget to permit rip on the LAN and DMZ interfaces.

- disable rip on the Outside interface.

Allow Specific Access Across Interfaces ASA 5510

Jouni Forss — Thu, 23 Jan 2014 08:14:14 GMT

Hi,

I don't know if there is really need to make the NAT rules any more complex by creating a configuration for each interface separately as a Section 2 Auto NAT. Not that this environment will probably have that much NAT configurations in the future to make it too complex but I prefer doing the Dynamic PAT with one command instead of configuring multiple "nat" configurations.

You could change the above Dynamic PAT configuration which I probably original suggested before you had added devices to network to the following

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

You can use the PAT-SOURCE "object-group" then to tell all the networks which require PAT translation to the external network. (by adding statements under it for the networks required)

- Jouni

Allow Specific Access Across Interfaces ASA 5510

maxmogorean — Thu, 23 Jan 2014 08:32:31 GMT

Yes Jouni, you are right!

No need to delete # object-group network PAT-SOURCE, # nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface, and to create object for each network. Just to add networks behind the LAN router into the PAT-SOURCE.

Re: Allow Specific Access Across Interfaces ASA 5510

Mitchell Tuckness — Fri, 24 Jan 2014 18:13:50 GMT

OK, so I don't remove the statements from the PAT-SOURCE group per MAXIM's suggestions. I did add the statement from Jouni:

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

Now, if I want to get access between the interfaces, I have to specif access lists for them?

Or just add the networks to the PAT-SOURCE Object-Group.

ASA5510# sh run

: Saved

ASA Version 9.1(4)

hostname ASA5510

domain-name maladomini.int

enable password liqChangedfzvir2g encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd liqhNWIChAnged2g encrypted

names

dns-guard

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.195.168.123 255.255.255.240

interface Ethernet0/2

description DMZ

nameif DMZ

security-level 100

ip address 10.10.0.1 255.255.255.252

interface Ethernet0/3

description VOIP

nameif VOIP

security-level 100

ip address 10.10.2.1 255.255.255.252

interface Management0/0

management-only

shutdown

nameif management

security-level 0

no ip address

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.168.4

name-server 205.171.2.65

name-server 205.171.3.65

domain-name maladomini.int

same-security-traffic permit inter-interface

object network ROUTER-2811

host 10.10.1.2

object network ROUTER-2821

host 10.10.0.2

object network WEBCAM-01

host 192.168.1.5

object network DNS-SERVER

host 192.168.1.2

object network ROUTER-3745

host 10.10.2.2

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

network-object 10.10.0.0 255.255.255.252

network-object 10.10.2.0 255.255.255.252

object-group network DM_INLINE_NETWORK_2

network-object host 98.22.xxx.xxx

object-group network Outside_access_in

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

mtu DMZ 1500

mtu VOIP 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

nat (DMZ,Outside) after-auto source dynamic PAT-SOURCE interface

nat (VOIP,Outside) after-auto source dynamic PAT-SOURCE interface

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

access-group Outside_access_in in interface Outside

router rip

network 10.0.0.0

version 2

no auto-summary

route Outside 0.0.0.0 0.0.0.0 199.195.xxx.xxx 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

http 98.22.xxx.xxx 255.255.255.255 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh 98.22.xxx.xxx 255.255.255.255 Outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username redacted password vj4PChaNgEDB.Ksz encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:d41cdcd98f00b204e9800998ecf8427e

: end

Re: Allow Specific Access Across Interfaces ASA 5510

Mitchell Tuckness — Fri, 24 Jan 2014 19:25:20 GMT

I made these changes. Can I remove the items strieked out below?

ASA5510# sh run nat

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

nat (DMZ,Outside) after-auto source dynamic PAT-SOURCE interface

nat (VOIP,Outside) after-auto source dynamic PAT-SOURCE interface

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

How do I grant access to respources behind the routers in the PAT-SOURCE? For example. If I have a webpage at 192.168.1.5 running on port 8080.

Thanks!

Re: Allow Specific Access Across Interfaces ASA 5510

maxmogorean — Fri, 24 Jan 2014 19:54:30 GMT

Remove them.

Where from do you want to grant the access?

Since the sec level of the DMZ and Inside is the same, and same security inter interface trafic is permitted, hosts from behind these interfaces must have access to each other.

In order to networks behind the LAN router have access to the internet, add them to the PAT-SOURCE.

For sec reasons, sec level of the DMZ interface should be lower than the Inside and higher than the Outside. In this case

access-list should be apllied to the DMZ to permitt certain traffic to the networks behind the Inside and Outside.

Re: Allow Specific Access Across Interfaces ASA 5510

Mitchell Tuckness — Fri, 24 Jan 2014 20:15:41 GMT

Maxim Mogorean wrote:

Remove them.

Where from do you want to grant the access?

Since the sec level of the DMZ and Inside is the same, and same security inter interface trafic is permitted, hosts from behind these interfaces must have access to each other.

In order to networks behind the LAN router have access to the internet, add them to the PAT-SOURCE.

For sec reasons, sec level of the DMZ interface should be lower than the Inside and higher than the Outside. In this case

access-list should be apllied to the DMZ to permitt certain traffic to the networks behind the Inside and Outside.

I want to grant access to security cameras on some of the different networks froma specific outside source (remote location).

Basically I want to allow http (www) access from 98.22.xxx.xxx to an IP address behind the 2811 at IP address 192.168.1.5 port 8080.

Here is my updated NAT:

ASA5510# sh run nat

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

Access-Lists:

ASA5510# sh run access-list

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Re: Allow Specific Access Across Interfaces ASA 5510

maxmogorean — Fri, 24 Jan 2014 20:35:18 GMT

object network CAM

host 192.168.1.5

nat (Inside,Outside) static interface service tcp 8080 80

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object CAM eq 8080