cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8379
Views
5
Helpful
10
Replies

Cisco ASA 8.2.5 - DMZ to Inside Access

Private Private
Level 1
Level 1

Here is a scenario I'd like to know about:

A Cisco ASA running 8.2.5 with 3 interfaces: Outside (Sec lvl 0)/-nternet IP / DMZ (Sec lvl 2)-192.168.8.0/24 / Inside (Sec level 100)-192.168.1.0/24

An ACL on the DMZ which looks like this:

access list DMZ_IN permit ip 192.168.8.0 255.255.255.0 any

access list DMZ_IN deny ip any any

access-group DMZ_IN in interface DMZ

global (outside) 1 interface

nat (DMZ) 1 192.168.8.0 255.255.255.0

Nat Control  is not enabled (by default)

There is no nat exemption, static identity nat or any nat of any kind set up between the Inside and DMZ.

The question is:  Will the DMZ network be able to initiate connections to the Inside network or will only outside (internet) access be permitted?

A) No, inside access will not be permitted, only Interenet access will be permitted, because there is no NAT exemption or Static Identity NAT between the lower level security interface (DMZ) and the Higher level security interface (Inside), regardless of the DMZ ACL rule with a destination of ANY.

B) Yes, access to the Internet and the Inside can be initiated because NAT control is disabled and there is an ACL that permits DMZ traffic to 'ANY' destination.

I've been searching the Internet and seen some pretty confusing answers about whether NAT control only applies to Higher-to-Lower traffic or if it also include Lower-to-HIgher traffic.  All of the examples of DMZ to inside traffic I have seen (and there are a lot of them) always include the static identity nat from inside to dmz.  If the nat is required between inside and dmz to pernit the traffic in this scenario, could someone please point out the exact Cisco documentation point out this requirement?  If NAT control (or lack thereof) also affects Lower to HIgher traffic flows, could someone point that out?  Thanks.

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

Base on the above configuration, maybe there is a typo, do you mean "nat (DMZ) 1 192.168.8.0 255.255.255.0"?

If yes, then DMZ network is only able to initiate connection to the outside/internet.

DMZ network won't be able to initiate connection to the inside network until you configure static NAT to itself or NAT exemption as follows:

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

(assuming there is another typo and the inside network meant to say 192.168.1.0/24)

So the answer is (A).

The command "no nat-control" becomes re-enable once you have a NAT command configured, in your case since you have "nat (DMZ) 1 192.168.8.0 255.255.255.0" configured, it re-enable the "nat-control" statement.

The "no nat-control" is only useful when you have no NAT command on that particular interface.

Hope that answers your question.

Those were indeed typos so thanks for seeing through those.  So no DMZ to Inside access without haveing both the static inside/dmz nat and the ACL rule.  Does the same hold true for 8.3 and above? I've seen in a number of places where it has been mentioned that in 8.3 and above, static NAT between lower security interface and higher security interface is not required to permit the access, only the ACL rule on the lower security interface is necessary. Is this true?

Also, can you point to any specific Cisco documentation for 8.2 that outline that even with no nat control, access from a lower security interface to a higher security interface requires both the ACL rule AND the static NAT? 

Thanks for your help.

Yes, you are absoluately correct, required static inside/dmz and ACL rule for traffic from low security to high security, whether they are 8.2 or lower, OR/ 8.3 or higher.

In 8.3 or higher, the "nat-control" command doesn't exist anymore.

here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1746857

(and the point that you are interested in is:

When NAT control is disabled with the no-nat control command, and a NAT and a global command pair are configured for an  interface, the real IP addresses cannot go out on other interfaces  unless you define those destinations with the

nat 0 access-list command. )

Hi All

Just to update

From High to Low > By default permitted

From Low to High> You need ACL in inbound direction on interface on which traffic lands.

Till 8.2

1) If nat-control is enable you need natting along with ACL

2) If nat-control is disabled you just need ACL.

After 8.2

You do not need nating.You just need ACL for allowing communication between different zones.

Please rate this


Sorry for resurrecting an old thread, but my question regards the last response. Am I reading correctly in it that for 8.3 and greater, for dmz to inside (lower to higher security) traffic, both with different, private addressing, an Identity NAT is NOT required to allow the DMZ (lower) to initiate inbound connection to the inside (higher), but only an ACL entry on the DMZ ACL which permits the traffic? If this is true, can someone please point to some exacting documentation that says lower to higher traffic is permitted so long as an ACL permits it? Thanks.

Hi,

I dont really know if there is a documentation saying this specifically, but its (the operation described above) a fact that I can guarantee.

As the previous posters have mentioned, there is no concept of "nat-control" anymore in the new software. If packet comes through the firewall and there is no NAT configured for it, it will simply go through the firewall without NAT.

You will only need an ACL to allow this traffic.

In the new software levels you should generally only configure NAT between internal and external interrfaces. Naturally depending on needs you might use NAT between internal interfaces.

Please remember to rate an answer if you found it to be helpfull

- Jouni

"If packet comes through the firewall and there is no NAT configured for it, it will simply go through the firewall without NAT."

Thank you for the reply. So as long as an ACL permits it, traffic may pass from a lower security interface to a higher one? If true, that should be something boldly and explicitly pointed out in the documentation;  especially given the struggles that many have had in the past (and perhaps current) with trying get DMZ (lower) to internal (higher) access.

Another thing, given a typical Internet/DMZ/Internal setup, does this mean now also that if a DMZ (lower) ACL has a rule that is using a destination of ANY, then, both Internet (even-lower) AND internal (higher) access is being granted by the rule, even absent any (inside,dmz) Identity NAT (twice or object)?  (In the past, the ACL plus the Identity NAT was required to permit the DMZ (lower) to internal (higher) access.)

Again, if true, this is another thing that should boldly and explicitly be stated somewhere in the documentation, especially in the upgrade from pre 8.3 to post 8.3 documentation. I see a large number of configurations that have been done where a DMZ rule has been set up with a destination of ANY with the thought being that only access to Internet (even lower) destinations was being granted, not taking into account any Identity NATs in place with the internal network (access to which would also be permitted via the ANY destination). Now (if I am understanding things), 'any' as a destination in a rule on a lower security interface ACL truly means 'any', without regard for security level or Identity NAT.

If anyone reading this has 'official' Cisco documentation outlining this in exacting terms, it would be greatly appreciated.

You can find the information http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/nat_overview.html

and it states

Note

NAT is not required. If you do not configure NAT for a given set of traffic, that traffic will not be translated, but will have all of the security policies applied as normal.

"If you do not configure NAT for a given set of traffic, that traffic  will not be translated, but will have all of the security policies  applied as normal."

I was aware of this, but when I read it, I understood it to mean that in the absence of NAT, traffic from lower to higher would NOT be permitted, as that is the default. Now as I understand it, that is not true; as long as an ACL on the lower security interface permits the traffic to the higher (or to a destination of ANY), then it will be permitted.

Again, thank you all for your replies

Hi,

With regards to the "security-level" values, they only really matter if you DONT have ACLs configured. If ACL is attached to an interface the "security-level" doesnt really have any meaning for access control. I generally always configure ACLs to interface even if its to allow all traffic from the LAN networks.

NAT is something that shouldnt be the deciding factor either in controlling traffic between interfaces. So to make sure that no traffic is allowed between local networks but allow to Internet would be done by grouping the other local networks inside an object and then using that object in the ACL to first block all connections to those networks and then permitting everything in the next ACL rule. This would block traffic between local interface but allow outbound traffic to external networks.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: