topic Re: Query regarding same security interface in ASA in Network Security

Query regarding same security interface in ASA

ankurs2008 — Mon, 11 Mar 2019 17:48:05 GMT

Hi halijenn / pkampana/all

I have a query regarding traffic traversing from one interface to another with same security level as of other

Inside range -> 192.168.10.0/24

Inside1 range -> 10.10.10.0/24

The inside interface and inside1 interface have same security level 100

[a] Consider that we have NAT-CONTROL enabled

a) I want to access the resources in bidirectional way If i want to access the resources from inside to inside1 and vice-versa with "nat 0 with ACL"

same-security-traffic permit inter-intefrace

nat (inside) 0 access-list NONAT

access-list NONAT permit ip host 192.168.10.1 host 10.10.10.1

Hence please let me know if i need to accomplish one more access-list in addition to above for traffic from Inside1 to Inside .That is do i need to

configure the below as well ?However according to me NAT 0 with ACL is bidirectional and we should not require the below acl for bidirectional traffic .Also please let me know what would be the config if these 2 interfaces would not have been on same sec. level ?

access-list NONAT permit ip host 10.10.10.1 host 192.168.10.1

b) I want to access the resources in bidirectional way . If i want to access the resources from inside to inside1 and vice-versa with "static" command please let me know if below is correct configuraion , I.E one static will do or both statics are required ?

same-security-traffic permit inter-intefrace

static (inside,inside1) 192.168.10.1 192.168.10.1

static (inside1,inside) 10.10.10.1 10.10.10.1

[b] Consider that we have NAT-CONTROL disabled

If no nat-control is configured how will the above change ?

Re: Query regarding same security interface in ASA

Jennifer Halim — Wed, 19 May 2010 11:13:47 GMT

[a] Consider that we have NAT-CONTROL enabled

a) You are absolutely correct. NAT exemption (NAT 0 with ACL) is bidirectional. Hence you only need to configure the NAT and ACL in 1 direction.

If you apply the NAT exemption on the inside interface, it would be as you have stated:

nat (inside) 0 access-list NONAT

access-list NONAT permit ip host 192.168.10.1 host 10.10.10.1

OR/ alternatively you can configure the following:

nat (inside1) 0 access-list NONAT-1

access-list NONAT-1 permit ip host 10.10.10.1 host 192.168.10.1

So it would be 1 or the other, not both.

If the security level is different, ie: inside - 100, inside1 - 90, then NAT exemption is always configured in the direction of high security level towards the low security level, and again, it is bidirectional, so you should only configure the following:

nat (inside) 0 access-list NONAT

access-list NONAT permit ip host 192.168.10.1 host 10.10.10.1

b) Static statement works exactly the same as NAT exemption above. It is also bidirectional. So you only need to configure 1 static line:

Either this:

static (inside,inside1) 192.168.10.1 192.168.10.1

OR/ this:

static (inside1,inside) 10.10.10.1 10.10.10.1

Not both.

[b] Consider that we have NAT-CONTROL disabled

If you have nat-control disable, then for the same security interface, you don't have to configure any NAT exemption or static statement. However, if it is different security level, traffic from high to low security level, you don't need any NAT exemption or static, however, traffic originated from low security level towards high security level, you still need to configure NAT exemption or static as per the above.

However you can't have any NAT statement at all configured on the interface because even if nat-control is disabled, and if you have 1 NAT statement, for example: nat (inside) 1 0 0, this will turn nat-control back on automatically.

Hope that answers your questions.

Re: Query regarding same security interface in ASA

ankurs2008 — Sat, 22 May 2010 07:47:17 GMT

Hi halijenn

This was excellent expalantion !!

1) In part [b] if i have "no nat-control" and the following statement is already there

nat(inside) 1 0 0

global (outside) 1 interface

Now if inside1 is having same-security level then with above statement enabled the nat-control will turn back on automatically .

Hence traffic from inside to inside1 will require below statement and inside1 to inside reachability will be accomplished automatically .Please correct me if i am wrong

nat (inside) 0 access-list NONAT

access-list NONAT permit ip host 192.168.10.1 host 10.10.10.1

Now if inside1 is having lower security level and inside the higher one , STILL the above command will do .Please correct me if i am wrong.

2) In part [b] if i have "no nat-control" and there would have been no "nat(inside) and global(outside)" , then if both the inside and inside1 are at same-security level then there is no requirement for nat 0 with ACL .right ? However if both on diff sec level , only the lower (inside1) would require

nat 0 with acl .Let me know if it is correct ?

Re: Query regarding same security interface in ASA

Jennifer Halim — Sat, 22 May 2010 07:57:07 GMT

You are absolutely correct with both 1) and 2), with 1 minor correction on the following statement on 2):

"However if both on diff sec level , only the lower (inside1) would require nat 0 with acl .Let me know if it is correct ?":

--> If security level is different, then you require either static or nat exemption for traffic initiated from the lower security level, however, as far as the nat exemption (nat 0 with acl) is concern, it should be configured on the higher security level interface (and it works bidirectionally, so traffic initiated from the lower security level will also work).

Hope that answers your question.

Re: Query regarding same security interface in ASA

ankurs2008 — Sun, 23 May 2010 10:52:24 GMT

hi halijenn

thanks for the reply .does that means we have to apply this on higher sec interface

nat (inside) 0 access-list NONAT

access-list NONAT permit ip host 192.168.10.1 host 10.10.10.1

if we dont apply above will the below work if applied on lower sec interface as again this is bidirectional NAT ? According to me it will not

as you said , as this is the case of different sec level interfaces and even if lower requires to speak to higher and we require nat0 with ACL to

accomplish it , the above statement will be correct statement .

nat (inside1) 0 access-list NONAT-1

access-list NONAT-1 permit ip host 10.10.10.1 host 192.168.10.1

Re: Query regarding same security interface in ASA

Jennifer Halim — Sun, 23 May 2010 11:04:19 GMT

nat (inside1) 0 access-list NONAT-1

access-list NONAT-1 permit ip host 10.10.10.1 host 192.168.10.1

will also work. Just from best practise point of view, it is recommended to apply NAT exemption on the high security level interface. This provides consistency in your configuration, ie: instead of having some interface having some NAT exemption on lower security level and some on high security level, this is to ensure that NAT exemption is only configured on the higher security level interface towards lower security level interface.

Re: Query regarding same security interface in ASA

anksachd — Mon, 24 May 2010 09:40:32 GMT

hi ankur

read the thread and i want to tell that i am running through the same scenario and have to add 2 "nat 0 with ACLs" .So there are some times when single

nat 0 with ACL doesnot works.

halijenn

Please let me know if there are some bugs associated with this , if required i can post the software version and asa model

thanks

ankur

Re: Query regarding same security interface in ASA

Jennifer Halim — Mon, 24 May 2010 11:41:18 GMT

Not too sure what you mean by single nat 0 with ACL does not work.

It should always work, and should be applied to the high security level interface, and make sure that you "clear xlate" after configuration changes.