topic Re: Allow traffic through Outside - Inside ASA-5505 in Network Security

Allow traffic through Outside - Inside ASA-5505

mattias — Mon, 11 Mar 2019 17:22:19 GMT

Hi!

I been thinking quite a long time over this and i hope anyone here could help out.

Is it possible to "route" traffic through outside interface and depending on what ip adress you are coming from you are directed to a specific ip on the inside? I know how it works when using PAT but now it is rather a question of just let traffic flow directly to inside adress without any questions asked or rules depending of what ip you have when on the outside.

The Asa only has one ipadress assigned (ouside). I think if i had more ip adresses on the outside i could map the traffic more easy.

Also...i´m a beginner at Cisco FW 😃

Regards

Mattias

Re: Allow traffic through Outside - Inside ASA-5505

Federico Coto Fajardo — Tue, 16 Mar 2010 13:39:53 GMT

Hi,

Normally to allow traffic from a lower-security interface to a higher-security interface you need a STATIC NAT and an ACL allowing the traffic.

So, as long as there a static translation for a host and an ACL permiting the traffic, you can come from the outside and access any host on the inside.

When you say that depending on what address you're coming from, to be redirected to an specific ip on the inside, you mean using the outside IP of the ASA to redirect traffic based on ports?

For example, you can use the outside public IP of the ASA to redirect traffic to several internal hosts depending on the destination port of the connection.

I supposed you can use Policy NAT to specify where to go depending on the IP you're coming from.

Take a look:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html

Federico.

Re: Allow traffic through Outside - Inside ASA-5505

mattias — Tue, 16 Mar 2010 13:58:14 GMT

Hi!

From outside i want to allow traffic to inside depending of what ip you are originating from.

Lets say FW Outside IP is 10.10.10.10

Inside is 192.168.0.0.

Example:Ip adresses that i want to get "full access" to internal ip is

Ouside ip 12.12.12.20 forwarded to 192.168.0.20

12.12.12.21 forwarded to 192.168.0.21

12.12.12.22 forwarded to 192.168.0.22

Is this possible to do`? NAT by using source 12.12.12.20 and destination 192.168.0.20 service ANY?

Regards

Mattias

Re: Allow traffic through Outside - Inside ASA-5505

samuelpetrescu — Tue, 16 Mar 2010 14:13:54 GMT

Hi,

static (inside,outside) 12.12.12.21 192.168.0.21 netmask 255.255.255.255

static (inside,outside) 12.12.12.22 192.168.0.22 netmask 255.255.255.255

access-list outside_in extended permit ip host 10.10.10.10 host 12.12.12.21

access-list outside_in extended permit ip host 10.10.10.10 host 12.12.12.22

access-group outside_in in interface outside

Samuel Petrescu

Re: Allow traffic through Outside - Inside ASA-5505

mattias — Tue, 16 Mar 2010 14:42:07 GMT

Hi again!

Thanks i will try this. I looks a bit backward to me (Cisco logic?!) but is the 12.12.12.20 (21) adress an outside adress equal to orginating adress that i tried to explain? Lan inside should be 192.168.0.21 (22). Correct?

Regards,

Mattias

Re: Allow traffic through Outside - Inside ASA-5505

samuelpetrescu — Tue, 16 Mar 2010 14:52:02 GMT

Hi again,

Ip addresses 192.168.0.21 and 192.168.0.22 are inside addresses

Ip addresses 12.12.12.21 and 12.12.12.21 are outside addresses (usually public IP's)

Ip addresses 10.10.10.10 is an outside address where traffic was originated from.

Example, allow only outside host 10.10.10.10 to access internal hosts 192.168.0.21 and 192.168.0.22.

Samuel Petrescu

Re: Allow traffic through Outside - Inside ASA-5505

Federico Coto Fajardo — Tue, 16 Mar 2010 14:52:14 GMT

In the example by Samuel...

static (inside,outside) 12.12.12.21 192.168.0.21 netmask 255.255.255.255
static (inside,outside) 12.12.12.22 192.168.0.22 netmask 255.255.255.255

access-list outside_in extended permit ip host 10.10.10.10 host 12.12.12.21
access-list outside_in extended permit ip host 10.10.10.10 host 12.12.12.22
access-group outside_in in interface outside

Outside NATed address: 12.12.12.21 for inside local 192.168.0.21
Outside NATed address: 12.12.12.22 for inside local 192.168.0.22

Then, the ACL allows IP from outside host 10.10.10.10 to both NATed addresses.

I don't think this is the redirection that you're asking, but is a valid configuration.

When outside 10.10.10.10 wants to access 12.12.12.21 it will be redirected to 192.168.0.21
On the other hand, when the same 10.10.10.10 wants to access 12.12.12.22 it will be redirected to
192.168.0.22

Let me know if this will work for you.

Federico.