topic Re: asa inbound access in Network Security

asa inbound access

techkamleshs — Mon, 11 Mar 2019 19:37:09 GMT

i am confused if we arehaving a public ip 199.X.X.11 of inside server given to its nic and is behind asa inside and asa external range doesnot fall into that will i be able to access this server from outside .the access list is applied on the outside for the public ip 199.X.X.11 for dest port 80 and ISP has a route pinting tothe firewall for the server public ip .also is static required in asa ? sorry if this is basic as am new to cisco and donot know about this

asa external ip - 64.X.X.9

internal server ---(inside )fw(outside)--ISP---internet---user

Re: asa inbound access

Jennifer Halim — Wed, 19 Jan 2011 10:19:11 GMT

Yes, you can.

Apart of the access-list to allow the traffic through, you would also need to have a static 1:1 NAT configured for the inside server. Configuration as follows:

static (inside,outside) 199.X.X.11 199.X.X.11 netmask 255.255.255.255

If you are however running version 8.3, then the configuration would be as follows:

object network obj-199.X.X.11

host 199.X.X.11

nat (inside,outside) static 199.X.X.11

Hope that helps.

Re: asa inbound access

techkamleshs — Wed, 19 Jan 2011 10:30:23 GMT

jennifer

thanks for answering , why this static is required if we have a route in the isp router ( external to firewall) and will know to send it to the

firewall . statics are put for the outside to inside (private) mapping and we dont have that scenario here

static (inside,outside) 199.X.X.11 199.X.X.11 netmask 255.255.255.255

Re: asa inbound access

Jennifer Halim — Wed, 19 Jan 2011 10:43:40 GMT

The reason why we need a static NAT statement is because if the traffic is being initiated from low security level (outside) towards high security level

(inside), it is a requirement to have 2 things configured:

1) static NAT translation (whether it is an actual NAT translation, or just a translation to itself)

2) ACL applied on the outside interface to allow the traffic through.

Re: asa inbound access

techkamleshs — Wed, 19 Jan 2011 11:04:53 GMT

hi jennifer,

so will the firewall do an arp for 199.X.X.11 though it doesnot belong to it and what mac will be sent to router or its like the router will never do any arp lookup for this address ?

Re: asa inbound access

Jennifer Halim — Wed, 19 Jan 2011 11:46:27 GMT

No, it will not be ARPing for it since it is a routed interface. As you have advised, on the router there is route for the 199.X.X.11 ip address to point towards the ASA outside interface ip address. So base on that route, it will be routed towards the ASA outside interface. On the ASA, either 199.X.X.11 is in the same subnet as the ASA inside interface, or if it's not, you would need to configure route for 199.X.X.11 on the ASA to point to the correct next hop on the inside interface.

Re: asa inbound access

techkamleshs — Fri, 21 Jan 2011 10:36:15 GMT

ok , i und'stand now !

So if the fw is having the inside ip interface 199.X.X.1 and 199.X.X.11 assigned to inside machine ip (gateway is inside i/f) so will a static translation to itself still reqd in fw ? and will the firewall still do arping for this ip during the inbound access

Re: asa inbound access

techkamleshs — Fri, 28 Jan 2011 10:09:30 GMT

hi jennifer

any thoughts on this ?

If the fw is having the inside ip interface 199.X.X.1 and 199.X.X.11 assigned to inside machine ip (gateway is inside i/f) so will a static translation to itself still reqd in fw ? and will the firewall still arp for this ip during the inbound access

Re: asa inbound access

Jennifer Halim — Fri, 28 Jan 2011 10:22:45 GMT

If you don't have any NAT statement at all in your configuration, then you can configure:

no nat-control

And this does not require any static NAT statement at all.

Re: asa inbound access

techkamleshs — Fri, 28 Jan 2011 10:31:56 GMT

ok , but here i am having multiple nat statements for outbound traffic with nat-control enabled , so considering this if you can let me know if static is still reqd in fw as below ? and if the firewall still arp for this ip for incoming traffic ?

static (private,public) 199.X.X.11 199.X.X.11

Re: asa inbound access

techkamleshs — Mon, 31 Jan 2011 11:17:43 GMT

hi experts

anyone who can share views on this ?

Re: asa inbound access

Jennifer Halim — Mon, 31 Jan 2011 11:52:31 GMT

There are a few options depending on what have been configured on the ASA itself.

With ASA, eventhough you are not actually translating the IP address from inside towards outside, you would still need to configure the static 1:1 NAT to itself. It will not translate the ip address, it's just a configuration that still needs to be configured as per the ASA design.

From your last post, you mention that you have a few NAT statements for outbound, hence the "no nat-control" will not take effect anymore for that interface where you have configured the NAT statements. Again depending on what the NAT statement actually says:

1) for the ip address 199.x.x.11, if you do not want to translate, you can configure "no nat-control". This will allow you to pass inbound traffic from outside to inside interface without any translation. However, for outbound traffic from 199.x.x.11 to the internet, if your NAT statement does cover that particular IP Address, it will be NATed to the IP Address configured in the "Global" command.

2) To be 100% sure that the 199.x.x.11 does not get NATed for both inbound and outbound traffic, then configure the static NAT statement to itself as advised earlier: "static (inside,outside) 199.x.x.11 199.x.x.11". Because static NAT takes precedence over NAT (dynamic NAT) statement.

Can you please advise the reason why you are reluctant to configure static NAT to itself? This is widely used, and a must to be configured if you don't disable nat-control and have nat statements.

The same is typically configured as well if you don't want to NAT traffic between inside interface and DMZ interface for example.

Eg: if your inside network is 10.10.10.0/24 and you don't want to NAT traffic between inside and DMZ, then you configure the following:

static (inside,DMZ) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Re: asa inbound access

Jennifer Halim — Mon, 31 Jan 2011 11:52:40 GMT

There are a few options depending on what have been configured on the ASA itself.

Can you please advise the reason why you are reluctant to configure static NAT to itself? This is widely used, and a must to be configured if you don't disable nat-control and have nat statements.

The same is typically configured as well if you don't want to NAT traffic between inside interface and DMZ interface for example.

Eg: if your inside network is 10.10.10.0/24 and you don't want to NAT traffic between inside and DMZ, then you configure the following:

static (inside,DMZ) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Re: asa inbound access

techkamleshs — Tue, 01 Feb 2011 10:59:42 GMT

Hi jennifer ,

thanks for reply , but why will nat-control have an affect on the static statement . As per your statement specifically for "inbound" access

"for the ip address 199.x.x.11, if you do not want to translate, you can configure "no nat-control". This will allow you to pass inbound traffic from outside to inside interface without any translation."

so whether i put "nat-control" or "no nat-control" , as per my thought static should be required from lower to higher security interface . why it is like that with the "no nat-control" , static is not required ? I am saying this as cisco guide says this :

Traffic identified by a static command is not affected.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1065667In the NAT Control and Static NAT section in the following guide it is mentioned "NAT control does not affect static NAT "

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html

Re: asa inbound access

Jennifer Halim — Tue, 01 Feb 2011 13:00:16 GMT

There are a number of options depending on what you have on your current configuration as well as whether you need both inbound and outbound access from 199.x.x.11 not translated.

As I said earlier, the simplest way is to just configure the static 1:1 to itself, and you really don't have to worry about any other configuration within your existing config as that takes precedence over any other dynamic NAT statement.

You are correct, "nat-control" only affects nat statement, not static nat statement, however, if you have a nat statement in your existing configuration, the outbound traffic from 199.x.x.11 will be nated accordingly. Configuring static nat statement will confirm that both outbound and inbound traffic will not be translated.

Re: asa inbound access

techkamleshs — Thu, 03 Feb 2011 12:42:42 GMT

hi jennifer

thanks for your reply again . i know that with the below static the identity source translation will also happen from private to public . but i am not concerned for outbound . my requirment is only for inbound and i want to understand natcontrol . the theory in the documentation is coming against what i am observing in practical . i removed all the nat statements frm firewall and also did a "no nat-control" and without any NAT in my config , i am able to ping from outside to in on 199.X.X.11 which should not happen

static (private,public) 199.X.X.11 199.X.X.11

- With "no nat-control" and without any NAT statements on firewall and just inbound ACL for 199.X.X.11 , i can ping inbound to 199.X.X.11 without any static

- With "nat-control" and without any NAT statements on firewall and just inbound ACL for 199.X.X.11 , i cannot ping without static command being in place

so like i said , NAT control is affecting Static NAT. the document should not be telling that "NAT control does not affect static NAT "

Re: asa inbound access

Jennifer Halim — Thu, 03 Feb 2011 17:47:33 GMT

It is not affecting the static nat statement.

If you have the command "no nat-control", it will allow inbound connection without any static nat statement, because there is no control over any of the nat statements.

If you however have "nat-control", or any of the NAT statement with "no nat-control", it will impose the old translation rule where by you would need to configure static nat statement for inbound traffic.

"nat-control" is a new feature from version 7.0 onwards. The old version of PIX (6.3 and below), there is no nat-control feature, and static nat statement is imposed for all inbound connection from low to high security level.

Re: asa inbound access

techkamleshs — Fri, 04 Feb 2011 12:14:32 GMT

"If you have the command "no nat-control", it will allow inbound connection without any static nat statement, because there is no control over any of the nat statements."

consider that fw doesnot have any nat command in it and no nat-control configured . now i put just nat-control without any nat statements . so isnt the natcontrol only for outbound traffic i.e from inside to outside ? so why do we need to put static for inbound traffic at this point of time . if nat-control is independent of static and only meant for outbound traffic , why static is required ?

Re: asa inbound access

Jennifer Halim — Sat, 05 Feb 2011 16:50:03 GMT

As I said earlier, disabling NAT with "no nat-control" is a new feature, and prior to the availability of this particular command, you will need to configure static NAT statement for inbound (from low to high security level) and there is no other option.

Enabling "nat-control" brings back the old rule of having to have the static NAT statement for inbound traffic. This is the design for the ASA, and those are the design rule and how you configure it.