topic creating ACL and nat rules on ASA5505 in Network Security

creating ACL and nat rules on ASA5505

schlafket — Mon, 11 Mar 2019 22:46:34 GMT

Ive migrated from my lab pix to a lab asa and am trying to open certain ports to my internal network.

in my confg on my pix i had acls to open port 51413 to an inside host along with the static nat rule.

what i am trying to accomplish is same on my asa, however the nat rules seem to be slightly different, and i'm not completely sure how to do it.

My ACL and nat rule is below. I'm pretty certain my acl is correct,but i am not sure as to what to do with my NAT rules to allow a translation for the tcp service. any help would be apprecaited.....

access-list outside-in extended permit object tcp51413 any object outside

nat (inside,outside) source dynamic all-inside-nat interface

Re: creating ACL and nat rules on ASA5505

llamaw0rksE — Sun, 25 Mar 2012 14:38:15 GMT

Assuming single WANIP 24.333.23.77 (outside interface)

ISP gateway IP 24.333.23.48

LAN 192.168.1.1 (inside interface)

single server RDP 3389 for example

server host PC 192.168.1.44

a.NEED two ACL rules

NEED one static nat rule (port forwarding)

NEED one dynamic nat rule (allows users behind router to get to the net, ie inbound to outbound)

NEED one routing rule.

notes for Adsm gui:

(1) Ensure use ACCESS RULES in gui for the ACL rules in order to associate its for the OUTSIDE interface. This is done by ensuring you put your rule under the OUTSIDE submenu selection in the popup. By doing so it creates two rules one would manually insert for CLI. Runtime config looks the same for both. ACL manager is only for post editing and review (not initial config).

(2) For NAT rules use network-objects and the nat menu selection at the bottom of the popup. The NAT Rules main menu selection is more for post editing and review (NOT initial config). Be advised in the gui, when you make the NAT rule it creates an object rule as well.

You will note in my NAT rules for portforwarding you do specify the LANIP of the server but avoid using the same name for this embedded nat rule as you do for the server itself. (two reasons, you may have more than one server on that pc and second you need the serverpc by itself as an object for acl rules).

Excerpts from runconfig to get an idea of placement.

(dynamic pat rule to allow outbound initiated connections from the LAN, applies SNAT. Default setup of asa 5505 includes this automagically)

object network obj_any_inside

subnet 0.0.0.0 0.0.0.0

(allowed external users object rules)

object network TrustedInternetUsers

subnet 24.333.23.0 255.255.255.0

object network Corporate-user

host 171.26.424.24

object-group network AuthUsers-Group

network-object object TrustedInternetUsers

network-object object Corporate-user

(network object rule identify the server PC - aka the host)

object network server-pcIP

host 192.168.1.44

(service object rule for RDP)

object service RDP

service tcp destination eq 3389

(1st output of NAT rule creates an object)

object network NAT4RDP

host 192.168.1.44

(acl rule first output is for access to the server allowing the group of permitted users for that service. ACL rules come before NAT rules in sequence)

access-list outside_access_in extended permit object RDP object-group AuthUsers-Group object server-pcIP

(second output of NAT rule is the nat rule)

object network NAT4RDP

nat (main-lan,outside) static interface service tcp 3389 3389

(The second ACL output is automatically created (access-group rule) and appears after NAT rules and before the next hop outbound route rule for any outgoing traffic from the inside interface)

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 24.333.23.48 1

timeout xlate 3:00:00

creating ACL and nat rules on ASA5505

schlafket — Tue, 27 Mar 2012 05:27:50 GMT

Thanks Alex. I feel like i have it set up right. but for whatever reason my client on the inside still thinks the port is not open. Here are my packet traces and config snips. Note i dont actually expect to connect to 8.8.8.8 on port 51413, its really just meant to serve as a real world outside address that I know exists. In all reality i could be connecting to anything. Yes i am trying to open up ports for torrents on my lab. But really this would provide me a template for other things in the future. feedback would be appreciated.

Config snipet

description Inside User Subnets

object network vlan201

subnet 10.10.201.0 255.255.255.0

object network vlan203

subnet 10.10.203.0 255.255.255.0

object-group network all-inside-nat

network-object object vlan201

network-object object vlan203

object service torrent

service tcp source eq 51413

access-list outside-in extended permit object torrent any object-group all-inside-nat

access-list outside-in extended permit icmp any any

access-list outside-in extended deny ip any any log

access-list inside-in extended permit ip any any

nat (inside,outside) source static all-inside-nat all-inside-nat service torrent torrent

nat (inside,outside) source dynamic all-inside-nat interface

access-group outside-in in interface outside

access-group inside-in in interface inside

ciscoasa# packet-tracer input inside tcp 10.10.201.4 51413 8.8.8.8 51413

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside-in in interface inside

access-list inside-in extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static all-inside-nat all-inside-nat service torrent torrent

Additional Information:

Static translate 10.10.201.4/51413 to 10.10.201.4/51413

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 969599, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ciscoasa# packet-tracer input outside tcp 8.8.8.8 51413 10.10.201.4 51413

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static all-inside-nat all-inside-nat service torrent torrent

Additional Information:

NAT divert to egress interface inside

Untranslate 10.10.201.4/51413 to 10.10.201.4/51413

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside-in in interface outside

access-list outside-in extended permit object torrent any object-group all-inside-nat

object-group network all-inside-nat

network-object object vlan201

network-object object vlan203

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static all-inside-nat all-inside-nat service torrent torrent

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 969732, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Re: creating ACL and nat rules on ASA5505

llamaw0rksE — Wed, 28 Mar 2012 03:52:35 GMT

Let me caveat that what I thought you were doing was allowing external users access servers behind the ASA.

I may be very wrong in this assumption and if so can disregard the rest of this post LOL. In fact the more I read its like you want users behind the ASA but on a separate lan to access a server on a different lan??

(1) Not sure why you have this rule? I dont have it and my setup works.
access-group inside-in in interface inside

(2) Not keen on your ACL rule structure.

access-list outside-in extended permit object torrent any object-group all-inside-nat

I would likely try to put in.

access-list outside-in extended permit object torrent object-group all-inside-nat object server-pcIP

Assuming definitions exist

object network server-pcIP

host 8.8.8.8

object service torrent

service tcp destination eq 51413