topic ASA Firewall inside <--> Outside access with out NAT ( Bidirect in Network Security

ASA Firewall inside <--> Outside access with out NAT ( Bidirectional)

virgoboy009 — Mon, 11 Mar 2019 20:51:48 GMT

Hello Guys,

Please suggest me to configure the standard way to configure my ASA FW for the below requirment.

Following is requirement :-

1) Inside to outside network no nat should be used.

2) Outside to Inside No nat should be used.

10.2.1.1 Layer 3 interface Router

Coreswitch--10.2.1.2.inside.FW..Out172.16.31.2......172.16.31.1 RouterA--10.241.2.1....10.241.2.2..ISP_MPLS.......ISP.10.241.2.X....Vendor..10.4.x.x

Currently I have another few subnets within my Coreswitch 10.1.200.X and 10.1.222.X to be accessed to vendor network with out Nat translation and also the Vendor traffic from 10.4.x.x outside network shoould be allowed with out NAT to be accessed to 10.1.200.x network.

Pleae suggest me the required config for end -end routing/NAT/ACL..

Please note that from router to ISP on both sides E-Bgp configured and on router A i can get all the Vendor Router inside networks published via E-bgp.

Also i can ping from router A to vendor inside network 10.4.x.x.

Subnets are

172.16.31.0/24

10.2.1.0/24

Appreciate your high efforts.

Thanks and Regards,

KA.

Please suggest me the required changes on ASA

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

kampmalm2 — Tue, 28 Jun 2011 08:18:55 GMT

Hello!

1) No natting from inside to outside:

access-list nonat_inside permit ip 10.2.1.0 255.255.255.0 any

access-list nonat_inside permit ip 10.1.200.0 255.255.255.0 any

access-list nonat_inside permit ip 10.1.222.0 255.255.255.0 any

nat (inside) 0 access-list nonat_insisde

2 No natting from outside to inside:

static (inside,outside) 10.2.1.0 10.2.1.0 netmask 255.255.255.0

static (inside,outside) 10.1.200.0 10.1.200.0 netmask 255.255.255.0

static (inside,outside) 10.1.222.0 10.1.222.0 netmask 255.255.255.0

And then you must have a access-list applied to outside interface wich permits the traffic that is allowed to go to inside.

Regards

Paul

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

virgoboy009 — Tue, 28 Jun 2011 09:48:00 GMT

Hello Paul,

Thank you for the reply!

I have one doubt here on your below NAT statement for NAT outside to inside.

2No natting from outside to inside:

static (inside,outside) 10.2.1.0 10.2.1.0 netmask 255.255.255.0

static (inside,outside) 10.1.200.0 10.1.200.0 netmask 255.255.255.0

static (inside,outside) 10.1.222.0 10.1.222.0 netmask 255.255.255.0

IS the Static command should be

static (outside,inside) 10.4.x.0 172.16.31.0 netmask 255.255.255.0..?

here 10.4.x.0 is Vendor network subnet and 172.16.31.0 is MY FW outside subnet

if not what scenarios the command will be

static (inside,outside) 10.1.200.0 10.1.200.0 netmask 255.255.255.0 for this requirement.

please let me know how we can use static ( inside, outside) ...to inititate traffic from outside to inside and what ACL should be used in regards to source to destintion for applying on in traffic for outside interface of FW.

Appreciate your help.

Regards,

KA.

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

praprama — Fri, 08 Jul 2011 22:34:26 GMT

Hi Karim,

Are you going to have any NAT configured at all on the firewall? If there is none configured, there is no need for the static or nat 0 statements above (given nat-control is disabled). All you need are ACLs on the outside interface to allow outside subnets to access the inside networks.

Regards,

Prapanch

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

JOSH GANT — Wed, 13 Jul 2011 13:00:05 GMT

Prapanch,

With 8.4 there is no "nat-control" AFAIK. Can I configure an 8.4 ASA without any NAT commands at all and expect traffic to traverse the device (with appropriate ACLs)?

I was under the impression from the docs that you must at least do Identity NAT.

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

varrao — Wed, 13 Jul 2011 13:07:36 GMT

Hi Josh,

There is no concept of nat-control post 8.3 versions, so yes you would need atleast a identity nat configuration to pass the traffic through ASA. Kindly let me know if you need any config help.

Varun

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

JOSH GANT — Wed, 13 Jul 2011 13:28:15 GMT

Thank you Varun,

Here is what I am doing:

Customer -> ASA 5520 -> 3750X -> PIX -> Internet

I am protecting the "3750X" portion of the network from the Customer network. The customer uses the Internet through the PIX. There cannot be any NAT at all on the ASA.

I have some of this going on which seems to be the appropriate Identity NAT:

object network Inet

subnet 0.0.0.0 0.0.0.0

object network Inet

nat (3750x,customer) static 0.0.0.0

My ACLs are permit IP any any on both interfaces. Customer has the lower security level.

=======

Connectivity from the Customer to the Internet is very spotty. It almost looks like an MTU issue - some websites load, others do not, pings are good to go everywhere. When I replace that ASA with a Cisco router, everything works great.

I want the ASA to behave like a router (no NAT) but provide nice ACL, packet inspection and logging features. I could do this easily in the past with an ASA using "nat 0" or "no nat-control."

Thoughts?

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

varrao — Wed, 13 Jul 2011 18:04:30 GMT

Hi Josh,

You would need the following nat config to exempt all customer network:

Lets say your customer network has 3 networks:

192.168.1.0

192.168.2.0

192.168.3.0

and youi want to exempt these networks completely:

Then you would need:

object-group network internal_subnets

network-object subnet 192.168.1.0 255.255.255.0

network-object subnet 192.168.2.0 255.255.255.0

network-object subnet 192.168.3.0 255.255.255.0

nat (inside,outside) source static internal_subnets internal_subnets (assuming your cust network is on the inside interafce)

Thats it.....

You just need these nats.

Thanks,

Varun

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

JOSH GANT — Wed, 13 Jul 2011 18:06:40 GMT

Consider that the entire Internet is "internal" in this configuration. The customer is "external" and the 3750x areas + the Internet are "internal".

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

varrao — Wed, 13 Jul 2011 18:10:48 GMT

Josh,

Is that wat you are referring to:

Customer----------outside(ASA)inside---------3750-------------inside(PIX)outside---------------Internet

Then also no worries:

nat (outside,inside) source static internal_subnets internal_subnets

Thats it...

Hope this helps

Thanks,

Varun

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

JOSH GANT — Wed, 13 Jul 2011 18:12:51 GMT

And by internal_subnets do you mean 0.0.0.0/0? If I only list the actual subnets in the 3750x area, the customer will not be able to reach the Internet.

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

JOSH GANT — Wed, 13 Jul 2011 18:14:12 GMT

Or would it be:

nat (outside,inside) source static customer_subnets customer_subnets

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

varrao — Wed, 13 Jul 2011 18:16:57 GMT

I mean the customer_subnets, the one that I mentioned in the configuration. On the PIX device you must be having a nat statement, something like:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1

so this would give internet access to all IP addresses on the inside.

Varun

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

JOSH GANT — Wed, 13 Jul 2011 18:19:45 GMT

I will give that a try next week and come back here to let you know. Yes the PIX is NATing to the Internet.

Thanks!

- Josh

ASA Firewall inside <--> Outside access with out NAT ( Bidirect

varrao — Wed, 13 Jul 2011 18:21:43 GMT

No problem Josh!!!!!

If you ahve any issues, do post ot to me.

Varun