08-27-2011 04:02 AM - edited 03-11-2019 02:17 PM
Hi,
I'm a bit confused about new NAT functionality in Ver 8.4(2). I've gone through all the documentation as well as different blogs but still not clear about the various things.
One of these is NAT-CONTROL. I understand that this has now been removed. Does this means that traffic traversing the ASA doesn't need any NAT'ing commands unless specifically required by the administrator? In other words by default traffic is allowed through the firewall without any NAT'ing.
My Second Query
I've ASA5520 running ver 8.4(2). For inside interface, I've created 13 x sub-interfaces under Gi0/1. All have same security level i.e. 100. What I want to achieve is that:
The first point is not a problem it's working, however. I'm struggling with the second point. On ver 8.2, it wasn't a problem, I used NAT 0 with access-list permitting RFC1918 addresses as source and destination.
Could someone please help me in explaining and achieving above?
Many thanks.
Syed
08-27-2011 08:42 AM
Hi,
There is no need for nat in 8.3 for traffic between different interfaces, so you just need to allow traffic flow from lower secunrity to higher interface through ACL's. Have a look at this:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212
The nat-control command is deprecated. To maintain the requirement that all traffic from a higher security interface to a lower security interface be translated, a NAT rule will be inserted at the end of section 2 for each interface to disallow any remaining traffic. The nat-control command was used for NAT configurations defined with earlier versions of the adaptive security appliance. The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the adaptive security appliance.
Now coming to the next question:
For the iner-subinterface you need to add this command:
same-security-traffic permit inter-interface
Hope this helps you
Thanks,
Varun
08-29-2011 07:31 AM
Hi Varun,
First of all thanks for the prompt response and sorry for my delayed replay. Actually its long weekend in UK.
Also thanks for the explanation and honestly that's what I thought of. But some how my configuration is not giving me the desired result. As traffic from higher security interfaces to lower security interface i.e. Outside interface is working fine. However, traffic between sub-interfaces on same security level is not working even though I opend every things between some of these interfaces.
I'm pasting here extract from the config file, could you please let if this sounds okay to you or if you can spot any mis-configuration?
many thanks.
Syed
Start of config file
ASA Version 8.4(2)
!
names
name 10.0.0.0 NET-10.0.0.0-RFC1918
name 172.16.0.0 NET-172.16-RFC1918
name 192.168.0.0 NET-192.168-RFC1918
name 10.37.40.0 NET-BMS-DATA
name 10.37.39.0 NET-CCURE-ACCESSDATA-OFFICE
name 10.37.48.0 NET-LIGHTING-SRV
name 10.37.43.0 NET-METERING-DATA
name 10.37.35.0 NET-SHOPALT-VOICE
name 10.37.35.128 NET-VACINITEE-THINCLIENT
name 10.37.34.0 NET-VOICE-IPT
name 10.37.44.0 NET-WIFI-AP-MANAGEMENT
name 172.25.24.0 NET-WIFI-GUESTS
name 10.37.32.0 NET-MANAGE
name 10.37.45.192 NET-IPTV-CLIENTS3
!
interface GigabitEthernet0/0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address 195.62.201.195 255.255.255.240
!
interface GigabitEthernet0/1
description "TRUNKED UPLINK - NO POLICIES"
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.19
vlan 19
nameif IPT-TRANSIT
security-level 100
ip address 10.37.34.249 255.255.255.248
!
interface GigabitEthernet0/1.29
description SHOPALT-VOICE-TRANS
vlan 29
nameif SHOPALT-VOICE-TRANS
security-level 100
ip address 10.37.35.249 255.255.255.248
!
interface GigabitEthernet0/1.39
description VACINITEE-FWSM-TRANS
vlan 39
nameif VACINITEE-FWSM-TRANS
security-level 100
ip address 10.37.35.241 255.255.255.248
!
interface GigabitEthernet0/1.99
description NETWORK MANAGEMENT TRANSIT
vlan 99
nameif NETWORK-MANAGE
security-level 100
ip address 10.37.32.254 255.255.255.0
!
interface GigabitEthernet0/1.109
description CCTV-FWSM-TRANS-OFFICE
vlan 109
nameif CCTV-FWSM-TRANS-OFFICE
security-level 100
ip address 10.37.38.249 255.255.255.248
!
interface GigabitEthernet0/1.129
description CCURE-FWSM-TRANS-OFFICE
vlan 129
nameif CCURE-FWSM-TRANS-OFFICE
security-level 100
ip address 10.37.39.249 255.255.255.248
!
interface GigabitEthernet0/1.139
description LIGHTING-FWSM-TRANS
vlan 139
nameif LIGHTING-FWSM-TRANS
security-level 100
ip address 10.37.48.249 255.255.255.248
!
interface GigabitEthernet0/1.179
description MANSUITE-FWSM-TRANS
vlan 179
nameif MANSUITE-FWSM-TRANS
security-level 100
ip address 10.37.33.249 255.255.255.248
!
interface GigabitEthernet0/1.209
description BMS-FWSM-TRANSIT
vlan 209
nameif BMS-FWSM-TRANSIT
security-level 100
ip address 10.37.46.225 255.255.255.248
!
interface GigabitEthernet0/1.229
description METERING-FWSM-TRANSIT
vlan 229
nameif METERING-FWSM-TRANSIT
security-level 100
ip address 10.37.43.249 255.255.255.248
!
interface GigabitEthernet0/1.239
description IPTV-FWSM-TRANSIT
vlan 239
nameif IPTV-FWSM-TRANSIT
security-level 100
ip address 10.37.45.249 255.255.255.248
!
interface GigabitEthernet0/1.249
description LIFTS-FWSM-TRANSIT
vlan 249
nameif LIFTS-FWSM-TRANSIT
security-level 100
ip address 10.37.46.249 255.255.255.248
!
interface GigabitEthernet0/1.990
description WIFIGUESTS
vlan 990
nameif WIFI-GUESTS
security-level 100
ip address 172.25.24.1 255.255.254.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description "NOT USED"
shutdown
nameif NOT-IN-USE
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 40Strand_entire_NW
subnet 10.37.32.0 255.255.224.0
description 40 Strand Entire NW IP range
object network NETWORK_OBJ_10.37.33.80_28
subnet 10.37.33.80 255.255.255.240
object-group network G-RFC1918
network-object NET-10.0.0.0-RFC1918 255.0.0.0
network-object NET-172.16-RFC1918 255.240.0.0
network-object NET-192.168-RFC1918 255.255.0.0
object-group network G-CCTV-OFFICE
network-object 10.37.36.0 255.255.255.128
network-object 10.37.36.128 255.255.255.128
object-group network G-IPTV
network-object 10.37.45.0 255.255.255.192
network-object 10.37.45.128 255.255.255.192
network-object NET-IPTV-CLIENTS3 255.255.255.224
network-object 10.37.45.64 255.255.255.192
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group network G-LIFTS
network-object 10.37.46.0 255.255.255.192
network-object 10.37.46.64 255.255.255.192
object-group network G-MANSUITE
network-object 10.37.33.0 255.255.255.128
network-object 10.37.33.128 255.255.255.192
access-list BMS-FWSM-TRANSIT_access_in extended permit icmp 10.37.40.0 255.255.254.0 object-group G-RFC1918 log debugging
access-list BMS-FWSM-TRANSIT_access_in extended permit ip 10.37.40.0 255.255.254.0 object-group G-RFC1918 log debugging
access-list BMS-FWSM-TRANSIT_access_in extended deny ip 10.37.40.0 255.255.254.0 any log debugging
access-list CCTV-FWSM-TRANS-OFFICE_access_in extended deny ip object-group G-CCTV-OFFICE object-group G-RFC1918 log debugging
access-list CCTV-FWSM-TRANS-OFFICE_access_in extended deny ip object-group G-CCTV-OFFICE any log debugging
access-list CCURE-FWSM-TRANS-OFFICE_access_in extended deny ip 10.37.39.0 255.255.255.128 object-group G-RFC1918 log debugging
access-list CCURE-FWSM-TRANS-OFFICE_access_in extended deny ip 10.37.39.0 255.255.255.128 any log debugging
access-list IPTV-FWSM-TRANSIT_access_in extended deny ip object-group G-IPTV object-group G-RFC1918 log debugging
access-list IPTV-FWSM-TRANSIT_access_in extended deny ip object-group G-IPTV any log debugging
access-list IPT-TRANSIT_access_in extended deny ip 10.37.34.0 255.255.255.128 object-group G-RFC1918 log debugging
access-list IPT-TRANSIT_access_in extended deny ip 10.37.34.0 255.255.255.128 any log debugging
access-list global_mpc remark Scan All traffic
access-list global_mpc extended permit tcp object-group G-RFC1918 any object-group DM_INLINE_TCP_1
access-list VACINITEE-FWSM-TRANS_access_in extended deny ip 10.37.35.128 255.255.255.192 object-group G-RFC1918 log debugging
access-list VACINITEE-FWSM-TRANS_access_in extended deny ip 10.37.35.128 255.255.255.192 any log debugging
access-list SHOPALT-VOICE-TRANS_access_in extended deny ip 10.37.35.0 255.255.255.128 object-group G-RFC1918 log debugging
access-list SHOPALT-VOICE-TRANS_access_in extended deny ip 10.37.35.0 255.255.255.128 any log debugging
access-list LIFTS-FWSM-TRANSIT_access_in extended deny ip object-group G-LIFTS object-group G-RFC1918 log debugging
access-list LIFTS-FWSM-TRANSIT_access_in extended deny ip object-group G-LIFTS any log debugging
access-list LIGHTING-FWSM-TRANS_access_in extended deny ip 10.37.48.0 255.255.255.128 object-group G-RFC1918 log debugging
access-list LIGHTING-FWSM-TRANS_access_in extended deny ip 10.37.48.0 255.255.255.128 any log debugging
access-list WIFI-GUESTS_access_in extended permit icmp any any
access-list WIFI-GUESTS_access_in extended deny ip 172.25.24.0 255.255.254.0 object-group G-RFC1918 log debugging
access-list WIFI-GUESTS_access_in extended deny ip 172.25.24.0 255.255.254.0 any log debugging
access-list MANSUITE-FWSM-TRANS_access_in extended permit icmp any any
access-list MANSUITE-FWSM-TRANS_access_in extended deny ip object-group G-MANSUITE object-group G-RFC1918 log debugging
access-list MANSUITE-FWSM-TRANS_access_in extended deny ip object-group G-MANSUITE any log debugging
access-list NETWORK-MANAGE_access_in extended permit ip any any
access-list METERING-FWSM-TRANSIT_access_in extended deny ip 10.37.43.0 255.255.255.128 object-group G-RFC1918 log debugging
access-list METERING-FWSM-TRANSIT_access_in extended deny ip 10.37.43.0 255.255.255.128 any log debugging
!
!
ip local pool MGMNT_VPN_clients 10.37.33.82-10.37.33.93 mask 255.255.255.240
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any IPT-TRANSIT
icmp permit any SHOPALT-VOICE-TRANS
icmp permit any VACINITEE-FWSM-TRANS
icmp permit any NETWORK-MANAGE
icmp permit any CCTV-FWSM-TRANS-OFFICE
icmp permit any CCURE-FWSM-TRANS-OFFICE
icmp permit any LIGHTING-FWSM-TRANS
icmp permit any MANSUITE-FWSM-TRANS
icmp permit any BMS-FWSM-TRANSIT
icmp permit any METERING-FWSM-TRANSIT
icmp permit any IPTV-FWSM-TRANSIT
icmp permit any LIFTS-FWSM-TRANSIT
icmp permit any WIFI-GUESTS
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (IPT-TRANSIT,OUTSIDE) source dynamic any interface
nat (SHOPALT-VOICE-TRANS,OUTSIDE) source dynamic any interface
nat (VACINITEE-FWSM-TRANS,OUTSIDE) source dynamic any interface
nat (CCTV-FWSM-TRANS-OFFICE,OUTSIDE) source dynamic any interface
nat (CCURE-FWSM-TRANS-OFFICE,OUTSIDE) source dynamic any interface
nat (LIGHTING-FWSM-TRANS,OUTSIDE) source dynamic any interface
nat (MANSUITE-FWSM-TRANS,OUTSIDE) source dynamic any interface
nat (BMS-FWSM-TRANSIT,OUTSIDE) source dynamic any interface
nat (METERING-FWSM-TRANSIT,OUTSIDE) source dynamic any interface
nat (LIFTS-FWSM-TRANSIT,OUTSIDE) source dynamic any interface
nat (IPTV-FWSM-TRANSIT,OUTSIDE) source dynamic any interface
nat (WIFI-GUESTS,OUTSIDE) source dynamic any interface
nat (NETWORK-MANAGE,OUTSIDE) source dynamic any interface
nat (NETWORK-MANAGE,OUTSIDE) source static 40Strand_entire_NW 40Strand_entire_NW destination static NETWORK_OBJ_10.37.33.80_28 NETWORK_OBJ_10.37.33.80_28 no-proxy-arp route-lookup
nat (BMS-FWSM-TRANSIT,OUTSIDE) source static any any destination static NETWORK_OBJ_10.37.33.80_28 NETWORK_OBJ_10.37.33.80_28 no-proxy-arp route-lookup
access-group IPT-TRANSIT_access_in in interface IPT-TRANSIT
access-group SHOPALT-VOICE-TRANS_access_in in interface SHOPALT-VOICE-TRANS
access-group VACINITEE-FWSM-TRANS_access_in in interface VACINITEE-FWSM-TRANS
access-group NETWORK-MANAGE_access_in in interface NETWORK-MANAGE
access-group CCTV-FWSM-TRANS-OFFICE_access_in in interface CCTV-FWSM-TRANS-OFFICE
access-group CCURE-FWSM-TRANS-OFFICE_access_in in interface CCURE-FWSM-TRANS-OFFICE
access-group LIGHTING-FWSM-TRANS_access_in in interface LIGHTING-FWSM-TRANS
access-group MANSUITE-FWSM-TRANS_access_in in interface MANSUITE-FWSM-TRANS
access-group BMS-FWSM-TRANSIT_access_in in interface BMS-FWSM-TRANSIT
access-group METERING-FWSM-TRANSIT_access_in in interface METERING-FWSM-TRANSIT
access-group IPTV-FWSM-TRANSIT_access_in in interface IPTV-FWSM-TRANSIT
access-group LIFTS-FWSM-TRANSIT_access_in in interface LIFTS-FWSM-TRANSIT
access-group WIFI-GUESTS_access_in in interface WIFI-GUESTS
route OUTSIDE 0.0.0.0 0.0.0.0 195.62.201.193 1
route MANSUITE-FWSM-TRANS 10.37.33.0 255.255.255.0 10.37.33.254 1
route IPT-TRANSIT NET-VOICE-IPT 255.255.255.0 10.37.34.254 1
route SHOPALT-VOICE-TRANS NET-SHOPALT-VOICE 255.255.255.128 10.37.35.254 1
route VACINITEE-FWSM-TRANS NET-VACINITEE-THINCLIENT 255.255.255.128 10.37.35.246 1
route CCTV-FWSM-TRANS-OFFICE 10.37.36.0 255.255.255.0 10.37.38.254 1
route CCURE-FWSM-TRANS-OFFICE NET-CCURE-ACCESSDATA-OFFICE 255.255.255.0 10.37.39.254 1
route BMS-FWSM-TRANSIT NET-BMS-DATA 255.255.254.0 10.37.46.230 1
route METERING-FWSM-TRANSIT NET-METERING-DATA 255.255.255.0 10.37.43.254 1
route NETWORK-MANAGE NET-WIFI-AP-MANAGEMENT 255.255.255.0 10.37.32.1 1
route IPTV-FWSM-TRANSIT 10.37.45.0 255.255.255.0 10.37.45.254 1
route LIFTS-FWSM-TRANSIT 10.37.46.0 255.255.255.0 10.37.46.254 1
route LIGHTING-FWSM-TRANS NET-LIGHTING-SRV 255.255.255.0 10.37.48.254 1
08-29-2011 11:07 AM
Hi,
Looking at your configuration I am sure you mighty be having issues with traffic flow, because I see a lot of deny ACL's in your config:
access-list CCTV-FWSM-TRANS-OFFICE_access_in extended deny ip object-group G-CCTV-OFFICE object-group G-RFC1918 log debugging
access-list CCTV-FWSM-TRANS-OFFICE_access_in extended deny ip object-group G-CCTV-OFFICE any log debugging
access-group CCTV-FWSM-TRANS-OFFICE_access_in in interface CCTV-FWSM-TRANS-OFFICE
Similarly many more, can you explain me y you need these?
This wold definitely block your traffic flow.
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide