cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


3340
Views
0
Helpful
25
Replies

Allow Specific Access Across Interfaces ASA 5510

Hi All,

In my quest to learn Cisco IOS and devices, I need some help in traffic shaping, or access-lists, specifically allowing traffic between internal interfaces on the ASA.

I have an ASA 5510:

LAN/WAN/DMZ labled ports E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).

Attached to port E0/0 is a 2811 Router

Attached to port E0/1 is the Internet (Outside)

Attached to port E0/2 is a 2821

(I will be adding a 3745 for VOIP) port E0/3 but it hasn't arrived yet.

I want to allow traffic between the 2811 and the 2821 routers so that devices on the networks behind them can talk to each other.

I have specified specif subnets between the ASA and the Routers because I want to learn how to shape traffic behind the routers as well as on the ASA. So behind the routers I have different VLANS, but I am not restricting access between them, yet, at least I don't think I am. But as it is, devices behind the 2821 can't access the DNS / DOMAIN SERVER which is behind the 2811. Right now I am having the routers supply DHCP, which is working. Currently devices behind the 2821 router - 3560 switch cannot access the domain server, primary dns server.

How do I setup the ASA to allow traffic to flow between the two routers and their VLANS?

Here are the configs of each of the devices and I have also included my switch configs, incase something needs to be set on them. I have only redacted the passwords and parts of the external IP's. I appreciate the help in what statements to create and on which devices.

I think it is best I put links to the text files here.

Thank you!

5 ACCEPTED SOLUTIONS

Accepted Solutions
Beginner

Re: Allow Specific Access Across Interfaces ASA 5510

You should delete the following statements on both routers:
- # ip nat inside source ... overload
- for each interface # ip nat inside/outside, if they have it configured.

Remove from rip advertisments of networks which are not directly connected:
- 2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
- 2811: 199.195.xxx.0
- ASA: 128.0.0.0

No routes should be added to the routers, since there is the default one, directing to ASA.

Verify routing tables on the routers and ASA.

On ASA:

- remove:
# object-group network PAT-SOURCE
# nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

- create objects of the networks behind the LAN router and enable dynamic NAT:
# object network
   subnet
   nat (Inside,Outside) dynamic interface

- review remained NAT rules.

- configure/adjust ingress access lists on the interfaces. Don't forget to permit rip on the LAN and DMZ interfaces.

- disable rip on the Outside interface.

Mentor

Allow Specific Access Across Interfaces ASA 5510

Hi,

I don't know if there is really need to make the NAT rules any more complex by creating a configuration for each interface separately as a Section 2 Auto NAT. Not that this environment will probably have that much NAT configurations in the future to make it too complex but I prefer doing the Dynamic PAT with one command instead of configuring multiple "nat" configurations.

You could change the above Dynamic PAT configuration which I probably original suggested before you had added devices to network to the following

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

You can use the PAT-SOURCE "object-group" then to tell all the networks which require PAT translation to the external network. (by adding statements under it for the networks required)

- Jouni

Beginner

Re: Allow Specific Access Across Interfaces ASA 5510

Remove them.

Where from do you want to grant the access?

Since the sec level of the DMZ and Inside is the same, and same security inter interface trafic is permitted, hosts from behind these interfaces must have access to each other.

In order to networks behind the LAN router have access to the internet, add them to the PAT-SOURCE.

For sec reasons, sec level of the DMZ interface should be lower than the Inside and higher than the Outside. In this case

access-list should be apllied to the DMZ to permitt certain traffic to the networks behind the Inside and Outside.

Beginner

Re: Allow Specific Access Across Interfaces ASA 5510

object network CAM

host 192.168.1.5

nat (Inside,Outside) static interface service tcp 8080 80

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object CAM eq 8080

Beginner

Re: Allow Specific Access Across Interfaces ASA 5510

You got it correctly, except port mapping.

You should read the nat rule by the following:

nat (real_ifc,mapped_ifc) static interface service {tcp | udp} real_port mapped_port

that is:

real_ifc = Inside

mapped_ifc = Outside

real_port = 8080 (behind real_ifc)

mapped_port = 80 (behind mapped_ifc)

You connect to the Outside interface IP address port 80 and get to the CAM behind the Inside port 8080

In the Outside access list you indicate real IP and real port, since access list is applied after NAT

25 REPLIES 25
Advisor

Allow Specific Access Across Interfaces ASA 5510

You'll need to add same-security-traffic permit inter-interface in the ASA. You'll also want to create ACL's for each interface and apply them for filtering.

Re: Allow Specific Access Across Interfaces ASA 5510

Ah, I didn't know of that command. Can you give me an example? Say to allow devices one and behind the 2821 access to the domain server behind the 2811 at IP address 192.168.1.2?

I am still very unsure how the access lists work and would like to see one setu pproperly so I can see one in my inviroment.

Thanks!

Allow Specific Access Across Interfaces ASA 5510

Would anyone be able to give me some examples of how to setup the access-lists so that devices behind the 2821 can access the domain server behind the 2811 at att ress 192.168.1.2?

I would appreciate it. I am still trying to learn the access lists and the way I am trying to setup my network, I know I would also need allow the traffic on the ASA but also setup routes on the 2821 and 2811 as well correct?

Thanks, I appreciate the help. I am trying to learn this as fast as I can but it helps to see a working statement for my enviroment so I know how traffic flows.

Advisor

Allow Specific Access Across Interfaces ASA 5510

A diagram would help.

If you wanted vlan 10 access through the ASA

access-list dmz-access extended permit ip 168.162.10.0 255.255.255.0 any

or to filter more granually

access-list dmz-access extended permit tcp host 192.162.1.100 host 10.10.1.1 eq 445


Allow Specific Access Across Interfaces ASA 5510

I am looking to access the DC from the 128.162.1.0/24 which is behind the 2821. The DC is 192.168.1.2 and it is behind the 2811.

Network.jpg

Advisor

Allow Specific Access Across Interfaces ASA 5510

Thanks for the diagram.

access-list dmz-access remark Permit all traffic to NAS

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.10

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq 53

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Does this help?

Allow Specific Access Across Interfaces ASA 5510

I entered all those commands and yet I still cannot access the DC or DNS. none of the clients behind the 2821 (128.162.1.0/24) are able to resolve DNS nor ping the DC that the access lists were suposed to have allowed. Am I supposed to put these commands on the ASA or the 2811 router?

Thanks.

Beginner

Allow Specific Access Across Interfaces ASA 5510

Should I restructure this network? Since I can't seem to get traffic to pass across ports, I am not sure if these devices will support that or not. I was told I should just put everything behind the ASA and then let the routers route and let the ASA be just a firewall. Seperating all my traffic by VLANS.

My thinking was this would be better off this way but I guess not, I can't seem to get any traffic from the DMZ to the Inside network.

Beginner

Allow Specific Access Across Interfaces ASA 5510

Both routers' interfaces looking to ASA have PAT configured. Because of this hosts behind one router will not reach any host behind the other one.

I think that there is not need to PAT traffic on the routers. Traffic between networks behind the routers should be simply routed by routers and ASA.

You only need to PAT traffic leaving the ASA outward the Internet.

Highlighted
Beginner

Allow Specific Access Across Interfaces ASA 5510

I would correct myself. As I said you do not need to PAT traffic leaving both routers, but only traffic arriving to the LAN interface and leaving the ASA should be translated. Addresses from behind the DMZ interface should not be translated when leaving the ASA.

Generealy speaking you have NAT issue.

Beginner

Allow Specific Access Across Interfaces ASA 5510

OK, so I have to remove the PAT statements and setup static routes for each of the routers behind the ASA? Can you give me an example so I can get an idea of how that works, if you would. I would appreciate it. Boy is this tough when you're first trying to get a handle on it!

Thanks again for the help.

Mitch

Beginner

Re: Allow Specific Access Across Interfaces ASA 5510

You should delete the following statements on both routers:
- # ip nat inside source ... overload
- for each interface # ip nat inside/outside, if they have it configured.

Remove from rip advertisments of networks which are not directly connected:
- 2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
- 2811: 199.195.xxx.0
- ASA: 128.0.0.0

No routes should be added to the routers, since there is the default one, directing to ASA.

Verify routing tables on the routers and ASA.

On ASA:

- remove:
# object-group network PAT-SOURCE
# nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

- create objects of the networks behind the LAN router and enable dynamic NAT:
# object network
   subnet
   nat (Inside,Outside) dynamic interface

- review remained NAT rules.

- configure/adjust ingress access lists on the interfaces. Don't forget to permit rip on the LAN and DMZ interfaces.

- disable rip on the Outside interface.

Re: Allow Specific Access Across Interfaces ASA 5510

OK, so I don't remove the statements from the PAT-SOURCE group per MAXIM's suggestions. I did add the statement from Jouni:

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

Now, if I want to get access between the interfaces, I have to specif access lists for them?

Or just add the networks to the PAT-SOURCE Object-Group.

ASA5510# sh run

: Saved

:

ASA Version 9.1(4)

!

hostname ASA5510

domain-name maladomini.int

enable password liqChangedfzvir2g encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd liqhNWIChAnged2g encrypted

names

dns-guard

!

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

!

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.195.168.123 255.255.255.240

!

interface Ethernet0/2

description DMZ

nameif DMZ

security-level 100

ip address 10.10.0.1 255.255.255.252

!

interface Ethernet0/3

description VOIP

nameif VOIP

security-level 100

ip address 10.10.2.1 255.255.255.252

!

interface Management0/0

management-only

shutdown

nameif management

security-level 0

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.168.4

name-server 205.171.2.65

name-server 205.171.3.65

domain-name maladomini.int

same-security-traffic permit inter-interface

object network ROUTER-2811

host 10.10.1.2

object network ROUTER-2821

host 10.10.0.2

object network WEBCAM-01

host 192.168.1.5

object network DNS-SERVER

host 192.168.1.2

object network ROUTER-3745

host 10.10.2.2

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

network-object 10.10.0.0 255.255.255.252

network-object 10.10.2.0 255.255.255.252

object-group network DM_INLINE_NETWORK_2

network-object host 98.22.xxx.xxx

object-group network Outside_access_in

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

mtu DMZ 1500

mtu VOIP 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

!

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

nat (DMZ,Outside) after-auto source dynamic PAT-SOURCE interface

nat (VOIP,Outside) after-auto source dynamic PAT-SOURCE interface

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

access-group Outside_access_in in interface Outside

!

router rip

network 10.0.0.0

version 2

no auto-summary

!

route Outside 0.0.0.0 0.0.0.0 199.195.xxx.xxx 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

http 98.22.xxx.xxx 255.255.255.255 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh 98.22.xxx.xxx 255.255.255.255 Outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username redacted password vj4PChaNgEDB.Ksz encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:d41cdcd98f00b204e9800998ecf8427e

: end




Re: Allow Specific Access Across Interfaces ASA 5510

I made these changes. Can I remove the items strieked out below?

ASA5510# sh run nat

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

!

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

nat (DMZ,Outside) after-auto source dynamic PAT-SOURCE interface

nat (VOIP,Outside) after-auto source dynamic PAT-SOURCE interface

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

How do I grant access to respources behind the routers in the PAT-SOURCE? For example. If I have a webpage at 192.168.1.5 running on port 8080.

Thanks!