Solved: Natting in ASA 5512X

net buzz · ‎10-04-2013

Hi!

I am actually replacing a PIX 515E unit with an ASA 5512X having version 8.6(1)2.

Starting from version 8.3 up, there is a difference in the way natting is done compared to previous ASA versions (8.2 and down) and PIX.

Scenario is as follows:

1 Cisco router for Internet connected to 1 ASA 5512X with three networks (inside, dmz, outside)
PC1 found on inside zone must access the Internet in outside zone
External emails come from the Internet to the mail server in the inside zone
External users access the web server in the dmz

I have configured the ASA 5512X and router but I want to be sure that I have it in the correct way.

Please see the attached topology and configurations of router and ASA.

Thanks.

Julio Carvajal · ‎10-04-2013

Hello,

Great job with the post To the point and clear.

That being said you almost have it right.

The problem is on the ACL syntax

ChangeThis

access-list OutIn extended permit tcp any host 10.0.0.60 eq smtp

access-list OutIn extended permit tcp any host 10.0.0.70 eq www

To this

access-list OutIn extended permit tcp any host 172.16.1.70 eq 80

access-list OutIn extended permit tcp any host 192.168.1.60 eq 25

Also check this

On the DMZ you are allowing the Webserver to only access HTTP services on the outside (This will need DNS included if you do not have a DNS server on the DMZ) so Add

accesslist DMZIN permit udp host 172.16.1.70 eq 53

Note: This if the webserver will access websites.

Starting on 8.3 the ASA now performs the security checks on a different order

First the NAT
Then the ACL

This is why you point to the private IP address on the ACL.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-04-2013

Hello,

Great job with the post To the point and clear.

That being said you almost have it right.

The problem is on the ACL syntax

ChangeThis

access-list OutIn extended permit tcp any host 10.0.0.60 eq smtp

access-list OutIn extended permit tcp any host 10.0.0.70 eq www

To this

access-list OutIn extended permit tcp any host 172.16.1.70 eq 80

access-list OutIn extended permit tcp any host 192.168.1.60 eq 25

Also check this

On the DMZ you are allowing the Webserver to only access HTTP services on the outside (This will need DNS included if you do not have a DNS server on the DMZ) so Add

accesslist DMZIN permit udp host 172.16.1.70 eq 53

Note: This if the webserver will access websites.

Starting on 8.3 the ASA now performs the security checks on a different order

First the NAT
Then the ACL

This is why you point to the private IP address on the ACL.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

net buzz · ‎10-05-2013

Dear Julio,

Thanks for the update.
Will edit the ACLs accordingly.

Regards,

Alvin

Sent from Cisco Technical Support iPhone App

Julio Carvajal · ‎10-05-2013

Hey Alvin,

My pleasure man, Remember to rate all o fthe helpful posts

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC