01-16-2014 08:26 PM - edited 03-11-2019 08:31 PM
Hi All,
In my quest to learn Cisco IOS and devices, I need some help in traffic shaping, or access-lists, specifically allowing traffic between internal interfaces on the ASA.
I have an ASA 5510:
LAN/WAN/DMZ labled ports E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).
Attached to port E0/0 is a 2811 Router
Attached to port E0/1 is the Internet (Outside)
Attached to port E0/2 is a 2821
(I will be adding a 3745 for VOIP) port E0/3 but it hasn't arrived yet.
I want to allow traffic between the 2811 and the 2821 routers so that devices on the networks behind them can talk to each other.
I have specified specif subnets between the ASA and the Routers because I want to learn how to shape traffic behind the routers as well as on the ASA. So behind the routers I have different VLANS, but I am not restricting access between them, yet, at least I don't think I am. But as it is, devices behind the 2821 can't access the DNS / DOMAIN SERVER which is behind the 2811. Right now I am having the routers supply DHCP, which is working. Currently devices behind the 2821 router - 3560 switch cannot access the domain server, primary dns server.
How do I setup the ASA to allow traffic to flow between the two routers and their VLANS?
Here are the configs of each of the devices and I have also included my switch configs, incase something needs to be set on them. I have only redacted the passwords and parts of the external IP's. I appreciate the help in what statements to create and on which devices.
I think it is best I put links to the text files here.
Thank you!
Solved! Go to Solution.
01-22-2014 11:51 PM
You should delete the following statements on both routers:
- # ip nat inside source ... overload
- for each interface # ip nat inside/outside, if they have it configured.
Remove from rip advertisments of networks which are not directly connected:
- 2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
- 2811: 199.195.xxx.0
- ASA: 128.0.0.0
No routes should be added to the routers, since there is the default one, directing to ASA.
Verify routing tables on the routers and ASA.
On ASA:
- remove:
# object-group network PAT-SOURCE
# nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
- create objects of the networks behind the LAN router and enable dynamic NAT:
# object network
subnet
nat (Inside,Outside) dynamic interface
- review remained NAT rules.
- configure/adjust ingress access lists on the interfaces. Don't forget to permit rip on the LAN and DMZ interfaces.
- disable rip on the Outside interface.
01-23-2014 12:14 AM
Hi,
I don't know if there is really need to make the NAT rules any more complex by creating a configuration for each interface separately as a Section 2 Auto NAT. Not that this environment will probably have that much NAT configurations in the future to make it too complex but I prefer doing the Dynamic PAT with one command instead of configuring multiple "nat" configurations.
You could change the above Dynamic PAT configuration which I probably original suggested before you had added devices to network to the following
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
You can use the PAT-SOURCE "object-group" then to tell all the networks which require PAT translation to the external network. (by adding statements under it for the networks required)
- Jouni
01-24-2014 11:54 AM
Remove them.
Where from do you want to grant the access?
Since the sec level of the DMZ and Inside is the same, and same security inter interface trafic is permitted, hosts from behind these interfaces must have access to each other.
In order to networks behind the LAN router have access to the internet, add them to the PAT-SOURCE.
For sec reasons, sec level of the DMZ interface should be lower than the Inside and higher than the Outside. In this case
access-list should be apllied to the DMZ to permitt certain traffic to the networks behind the Inside and Outside.
01-24-2014 12:35 PM
object network CAM
host 192.168.1.5
nat (Inside,Outside) static interface service tcp 8080 80
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object CAM eq 8080
01-24-2014 02:32 PM
You got it correctly, except port mapping.
You should read the nat rule by the following:
nat (real_ifc,mapped_ifc) static interface service {tcp | udp} real_port mapped_port
that is:
real_ifc = Inside
mapped_ifc = Outside
real_port = 8080 (behind real_ifc)
mapped_port = 80 (behind mapped_ifc)
You connect to the Outside interface IP address port 80 and get to the CAM behind the Inside port 8080
In the Outside access list you indicate real IP and real port, since access list is applied after NAT
01-17-2014 06:39 AM
You'll need to add same-security-traffic permit inter-interface in the ASA. You'll also want to create ACL's for each interface and apply them for filtering.
01-17-2014 11:53 AM
Ah, I didn't know of that command. Can you give me an example? Say to allow devices one and behind the 2821 access to the domain server behind the 2811 at IP address 192.168.1.2?
I am still very unsure how the access lists work and would like to see one setu pproperly so I can see one in my inviroment.
Thanks!
01-18-2014 02:09 PM
Would anyone be able to give me some examples of how to setup the access-lists so that devices behind the 2821 can access the domain server behind the 2811 at att ress 192.168.1.2?
I would appreciate it. I am still trying to learn the access lists and the way I am trying to setup my network, I know I would also need allow the traffic on the ASA but also setup routes on the 2821 and 2811 as well correct?
Thanks, I appreciate the help. I am trying to learn this as fast as I can but it helps to see a working statement for my enviroment so I know how traffic flows.
01-18-2014 02:17 PM
A diagram would help.
If you wanted vlan 10 access through the ASA
access-list dmz-access extended permit ip 168.162.10.0 255.255.255.0 any
or to filter more granually
access-list dmz-access extended permit tcp host 192.162.1.100 host 10.10.1.1 eq 445
01-18-2014 10:14 PM
I am looking to access the DC from the 128.162.1.0/24 which is behind the 2821. The DC is 192.168.1.2 and it is behind the 2811.
01-19-2014 06:10 AM
Thanks for the diagram.
access-list dmz-access remark Permit all traffic to NAS
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.10
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq 53
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Does this help?
01-20-2014 04:13 PM
I entered all those commands and yet I still cannot access the DC or DNS. none of the clients behind the 2821 (128.162.1.0/24) are able to resolve DNS nor ping the DC that the access lists were suposed to have allowed. Am I supposed to put these commands on the ASA or the 2811 router?
Thanks.
01-21-2014 09:14 AM
Should I restructure this network? Since I can't seem to get traffic to pass across ports, I am not sure if these devices will support that or not. I was told I should just put everything behind the ASA and then let the routers route and let the ASA be just a firewall. Seperating all my traffic by VLANS.
My thinking was this would be better off this way but I guess not, I can't seem to get any traffic from the DMZ to the Inside network.
01-22-2014 12:57 PM
Both routers' interfaces looking to ASA have PAT configured. Because of this hosts behind one router will not reach any host behind the other one.
I think that there is not need to PAT traffic on the routers. Traffic between networks behind the routers should be simply routed by routers and ASA.
You only need to PAT traffic leaving the ASA outward the Internet.
01-22-2014 01:20 PM
I would correct myself. As I said you do not need to PAT traffic leaving both routers, but only traffic arriving to the LAN interface and leaving the ASA should be translated. Addresses from behind the DMZ interface should not be translated when leaving the ASA.
Generealy speaking you have NAT issue.
01-22-2014 01:57 PM
OK, so I have to remove the PAT statements and setup static routes for each of the routers behind the ASA? Can you give me an example so I can get an idea of how that works, if you would. I would appreciate it. Boy is this tough when you're first trying to get a handle on it!
Thanks again for the help.
Mitch
01-22-2014 11:51 PM
You should delete the following statements on both routers:
- # ip nat inside source ... overload
- for each interface # ip nat inside/outside, if they have it configured.
Remove from rip advertisments of networks which are not directly connected:
- 2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
- 2811: 199.195.xxx.0
- ASA: 128.0.0.0
No routes should be added to the routers, since there is the default one, directing to ASA.
Verify routing tables on the routers and ASA.
On ASA:
- remove:
# object-group network PAT-SOURCE
# nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
- create objects of the networks behind the LAN router and enable dynamic NAT:
# object network
subnet
nat (Inside,Outside) dynamic interface
- review remained NAT rules.
- configure/adjust ingress access lists on the interfaces. Don't forget to permit rip on the LAN and DMZ interfaces.
- disable rip on the Outside interface.
01-24-2014 10:13 AM
OK, so I don't remove the statements from the PAT-SOURCE group per MAXIM's suggestions. I did add the statement from Jouni:
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
Now, if I want to get access between the interfaces, I have to specif access lists for them?
Or just add the networks to the PAT-SOURCE Object-Group.
ASA5510# sh run
: Saved
:
ASA Version 9.1(4)
!
hostname ASA5510
domain-name maladomini.int
enable password liqChangedfzvir2g encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd liqhNWIChAnged2g encrypted
names
dns-guard
!
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
!
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.168.123 255.255.255.240
!
interface Ethernet0/2
description DMZ
nameif DMZ
security-level 100
ip address 10.10.0.1 255.255.255.252
!
interface Ethernet0/3
description VOIP
nameif VOIP
security-level 100
ip address 10.10.2.1 255.255.255.252
!
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
!
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name maladomini.int
same-security-traffic permit inter-interface
object network ROUTER-2811
host 10.10.1.2
object network ROUTER-2821
host 10.10.0.2
object network WEBCAM-01
host 192.168.1.5
object network DNS-SERVER
host 192.168.1.2
object network ROUTER-3745
host 10.10.2.2
object-group network PAT-SOURCE
network-object 10.10.1.0 255.255.255.252
network-object 10.10.0.0 255.255.255.252
network-object 10.10.2.0 255.255.255.252
object-group network DM_INLINE_NETWORK_2
network-object host 98.22.xxx.xxx
object-group network Outside_access_in
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
mtu DMZ 1500
mtu VOIP 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh 222
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh 2222
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh 2223
!
nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
nat (DMZ,Outside) after-auto source dynamic PAT-SOURCE interface
nat (VOIP,Outside) after-auto source dynamic PAT-SOURCE interface
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
access-group Outside_access_in in interface Outside
!
router rip
network 10.0.0.0
version 2
no auto-summary
!
route Outside 0.0.0.0 0.0.0.0 199.195.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 98.22.xxx.xxx 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh 98.22.xxx.xxx 255.255.255.255 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username redacted password vj4PChaNgEDB.Ksz encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:d41cdcd98f00b204e9800998ecf8427e
: end
01-24-2014 11:25 AM
I made these changes. Can I remove the items strieked out below?
ASA5510# sh run nat
!
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh 222
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh 2222
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh 2223
!
nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
nat (DMZ,Outside) after-auto source dynamic PAT-SOURCE interface
nat (VOIP,Outside) after-auto source dynamic PAT-SOURCE interface
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
How do I grant access to respources behind the routers in the PAT-SOURCE? For example. If I have a webpage at 192.168.1.5 running on port 8080.
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: