topic ASA question in Network Security

ASA question

vishal.rane — Mon, 11 Mar 2019 20:15:59 GMT

How can I allow a subnet on inside network for smtp and pop3 access and deny all other traffic without applying an ACL on inside interface.

Subnet : 192.168.100.0/24

allow only traffic SMTP and POP3

Email Service is hosted with ISP

Firewall is ASA 5510 ver 8.2

thanks

vishal

Re: ASA question

Jon Marshall — Sat, 02 Apr 2011 12:45:42 GMT

vishal.rane wrote:

How can I allow a subnet on inside network for smtp and pop3 access and deny all other traffic without applying an ACL on inside interface.

Subnet : 192.168.100.0/24

allow only traffic SMTP and POP3

Email Service is hosted with ISP

Firewall is ASA 5510 ver 8.2

thanks

vishal

Vishal

You can't without a an access-list. If you don't want to apply an acl to the inside interface you could apply an acl outbound on the outside interface but i would recommend using an acl inbound on the inside interface. That is after all what firewalls are for ie. controlling access and the main way ASAs do this is by using acls.

The acl would be very straightforward ie.

access-list inside_out permit tcp 192.168.100.0 255.255.255.0 host eq 25

access-list inside_out permit tcp 192.168.100.0 255.255.255.0 host eq 110

access-list inside_out deny ip 192.168.100.0 255.255.255.0 any

access-list inside_out permit ip any any

access-group inside_out in interface inside

Jon

Re: ASA question

vishal.rane — Sat, 02 Apr 2011 13:51:34 GMT

Cisco Technical Engineer suggestd to apply ACL with a NAT statement, this would avoid applying ACL on Inside interface.

nat (inside) 5 access-list 111
global (outside) 5 interface

access-l 111 deny tcp 192.168.100.0 255.255.252.0 any eq 8080
access-l 111 deny tcp 192.168.100.0 255.255.252.0 any eq 80
access-l 111 deny tcp 192.168.100.0 255.255.252.0 any eq 443
access-l 111 permit ip 192.168.100.0 255.255.252.0 any

Any Comments

Re: ASA question

Maykol Rojas — Sat, 02 Apr 2011 14:45:58 GMT

Hello,

Using Policy Nat is a good Approach, the access lists on that example wont get you the access that you want, but the idea is fine. I want you to be aware that this does not eliminate the option that clients can send packets on those ports, but since the IP address where they are coming from is not routable, the packet will be drop in the first ISP router.

Something else that you need to be aware is that you should take in consideration your other nats, because if there is already a global using the interface keyword, you may need to create the NAT statement with the same ID, and by NAT order of operation, the most specific one (The one with the ACL) should take precedence.

Cheers

Mike

Re: ASA question

Jon Marshall — Sat, 02 Apr 2011 16:54:07 GMT

As Mike says this would work but i still don't fully understand why you simply don't use an acl. Think of it like this. If another person ends up mainting the firewall and looks at the config with an acl it is obvious what you want to do. With policy NAT it may achieve the same thing but it won't be that obvious as to why it has been done.

It is an oblique way to deny access from the inside when you have a perfectly good way to achieve the same thing with an access-list.

Having said that it will stop these clients accessing anything other than what you want, although again as Mike says, not with the config you posted. So my statement saying it can't be done was wrong. Apologies for that. I just don't tend to think of NAT as a control/restriction tool rather an IP preservation tool.

Jon

Re: ASA question

vishal.rane — Sun, 03 Apr 2011 05:25:34 GMT

Jon & Mike thanks.

Jon I am convinced on your reply so gonna apply ACL on inside