cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


3340
Views
0
Helpful
25
Replies
Beginner

Re: Allow Specific Access Across Interfaces ASA 5510

Remove them.

Where from do you want to grant the access?

Since the sec level of the DMZ and Inside is the same, and same security inter interface trafic is permitted, hosts from behind these interfaces must have access to each other.

In order to networks behind the LAN router have access to the internet, add them to the PAT-SOURCE.

For sec reasons, sec level of the DMZ interface should be lower than the Inside and higher than the Outside. In this case

access-list should be apllied to the DMZ to permitt certain traffic to the networks behind the Inside and Outside.

Re: Allow Specific Access Across Interfaces ASA 5510

Maxim Mogorean wrote:

Remove them.

Where from do you want to grant the access?

Since the sec level of the DMZ and Inside is the same, and same security inter interface trafic is permitted, hosts from behind these interfaces must have access to each other.

In order to networks behind the LAN router have access to the internet, add them to the PAT-SOURCE.

For sec reasons, sec level of the DMZ interface should be lower than the Inside and higher than the Outside. In this case

access-list should be apllied to the DMZ to permitt certain traffic to the networks behind the Inside and Outside.

I want to grant access to security cameras on some of the different networks froma  specific outside source (remote location).

Basically I want to allow http (www) access from 98.22.xxx.xxx to an IP address behind the 2811 at IP address 192.168.1.5 port 8080.

Here is my updated NAT:

ASA5510# sh run nat

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

!

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

Access-Lists:

ASA5510# sh run access-list

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Beginner

Re: Allow Specific Access Across Interfaces ASA 5510

object network CAM

host 192.168.1.5

nat (Inside,Outside) static interface service tcp 8080 80

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object CAM eq 8080

Re: Allow Specific Access Across Interfaces ASA 5510

Awesome, thank you. Just to make sure I am reading it correctly.

I created a Network Object called CAM.

I assigned the Object's host as 192.168.1.5.

I then created a NAT specifying that the host can can be accessed statically on TCP port 8080 which is translated to port 80.

Then I created an entry in my Outside_access_in access-list permitting my external IP to access the Object called CAM via port 8080.

So when I try and connect to it from my remote location I type http://123.456.789.10:8080 and that will route me to 192.168.1.5 on port 80?

Just want to make sure I have the flow correctly. I think I have it, unless I am reading the nat backwards

Thanks!

Maxim Mogorean wrote:

object network CAM

host 192.168.1.5

nat (Inside,Outside) static interface service tcp 8080 80

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object CAM eq 8080

Beginner

Re: Allow Specific Access Across Interfaces ASA 5510

You got it correctly, except port mapping.

You should read the nat rule by the following:

nat (real_ifc,mapped_ifc) static interface service {tcp | udp} real_port mapped_port

that is:

real_ifc = Inside

mapped_ifc = Outside

real_port = 8080 (behind real_ifc)

mapped_port = 80 (behind mapped_ifc)

You connect to the Outside interface IP address port 80 and get to the CAM behind the Inside port 8080

In the Outside access list you indicate real IP and real port, since access list is applied after NAT

Re: Allow Specific Access Across Interfaces ASA 5510

Hmm OK, I needed to enter on port 8080 and end on the camera on port 80. This because the ASDM interface is setup to allow HTTP connections from work so if I enter my public IP I will get the ASDM instead of the translated CAM port.

Re: Allow Specific Access Across Interfaces ASA 5510

Maxim,

Can I get one more clarification on the statement I should add.

The internal device in on 192.168.1.5 and is listening on port 80. I need to come into the ASA on port 8080 and then get natted to the 192.168.1.5 on port 80.

(INTERNET's Origination IP 98.22.xxx.xxx:8080) ------ (External IP 199.195.xxx.xxx) --ASA--- (Internal IP 10.10.1.1) ----- (External IP 10.10.1.2) ---2811--- (Internal IP VLAN 1 - Gateway 192.168.1.1) ---- (Device 192.168.1.5:80)

That is how the flow works right now.

SH RUN NAT:

ASA5510# sh run nat

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www 8080

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

!

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

SH RUN ACCESS-LISTS:

ASA5510# sh run access-list

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx interface Outside eq https

access-list Outside_access_in extended permit tcp host 98.22.xxx.xxx object WEBCAM-01 eq www

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Thanks!

Message was edited by: Mitchell Tuckness

Re: Allow Specific Access Across Interfaces ASA 5510

Oh and when I look at the ASDM transaction logs I see this:

6Jan 27 201409:36:49
98.22.xxx.xxx12768192.168.1.580Routing failed to locate next hop for TCP from Outside:98.22.xxx.xxx/12768 to Inside:192.168.1.5/80

6Jan 27 201409:36:49
98.22.xxx.xxx12768192.168.1.580Built inbound TCP connection 1001389 for Outside:98.22.xxx.xxx/12768 (98.22.xxx.xxx/12768) to Inside:192.168.1.5/80 (199.195.xxx.xxx/8080)
Highlighted
Beginner

Re: Allow Specific Access Across Interfaces ASA 5510

Hi,

Correct

It seems that asa doesn't have route to the network 192.168.1.0.

Is this route present in the ASA routing table? # show route

Mentor

Allow Specific Access Across Interfaces ASA 5510

Hi,

I don't know if there is really need to make the NAT rules any more complex by creating a configuration for each interface separately as a Section 2 Auto NAT. Not that this environment will probably have that much NAT configurations in the future to make it too complex but I prefer doing the Dynamic PAT with one command instead of configuring multiple "nat" configurations.

You could change the above Dynamic PAT configuration which I probably original suggested before you had added devices to network to the following

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

You can use the PAT-SOURCE "object-group" then to tell all the networks which require PAT translation to the external network. (by adding statements under it for the networks required)

- Jouni

Beginner

Allow Specific Access Across Interfaces ASA 5510

Yes Jouni, you are right!

No need to delete # object-group network PAT-SOURCE, # nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface, and to create object for each network. Just to add networks behind the LAN router into the PAT-SOURCE.