topic Hello Karsten, in Network Security

On Communication over inside to dmz ASA 5510

harishrajkv — Fri, 21 Feb 2020 13:42:49 GMT

Hello All,

what all we required when communicating from Inside(security level 100) to dmz (security level 25) both having private pools .

inside ip 192.168.7.10

dmz ip 192.168.107.10

service rdp .

I know we need to add ACL on DMZ-in apart from that do we need any nat configs ? if yes then why we need and what will be the syntax ?

Thanks in advance.

Harish

As always: It depends ...

Karsten Iwen — Tue, 26 Jan 2016 17:55:12 GMT

As always: It depends ...

On the DMZ-interface you don't need any ACL. An ACL is only needed on the interface where the traffic is initiated. If the Traffic is sent *to* the DMZ, then the return traffic is automatically allowed through statefull inspection.
If you don't have any ACL on the inside interface, then you are done. Traffic from higher to lower security level is automatically allowed in this case.
If there is an ACL on the inside interface, then add an ACE that allowes this traffic to the RDP-server in the DMZ.
NAT is not needed as you have full routing between inside and DMZ. But if all inside traffic is subject to NAT (as it was typically with ASA versions < 8.3) then you should exempt this traffic from NAT.

Hello Karsten,

harishrajkv — Tue, 26 Jan 2016 18:37:43 GMT

Hello Karsten,

Thanks for the time and your response.

inside to dmz - i think no acl required 100 to 25 security level

dmz to inside - we need acl bcoz the security level is higher on inside , what i taught. Can you confirm if statefull inspection works in this case eg 100 to 25 .

Firewall version is above 8.4 .

Snippet as per my understanding (Let me know if I'm correct or wrong)

-----------------

object network NAT-Source

host 192.168.7.10

object network NAT-Destination

host 192.168.107.10

nat (inside,dmz) source static NAT-Source NAT-Source destination static NAT-Destination NAT-Destination

-------------

Thanks again.

Harish

The ASA is a statefull

Karsten Iwen — Tue, 26 Jan 2016 19:01:43 GMT

The ASA is a statefull firewall. Allowing the return-traffic is the main purpose of a statefull firewall (in addition to other things).

And the NAT is probably not needed at all.

Thanks and i will definitely

harishrajkv — Tue, 26 Jan 2016 19:38:50 GMT

Thanks and i will definitely get back to you with feedback when i get time working on this. -Harish

Hello Karsten,

harishrajkv — Wed, 27 Jan 2016 15:10:01 GMT

Hello Karsten,

I got the chance of working on the issue.

There was no access-group called on inside interface and i allowed any traffic , it worked.

NAT not required.

Thanks you

- Harish