Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1327
Views
8
Helpful
7
Replies

allowing traffic between segments

Go to solution
suthomas1
Level 7
Level 7

‎12-21-2010 02:00 AM - edited ‎03-11-2019 12:25 PM

i am confused over lines for allowing traffic between 3 asa zones.

internet (level 100) - 198.65.34.22

businessapp (level 80) - 172.16.24.1 255.255.255.0

local (level 0) - 172.16.15.0 255.255.255.0

172.16.24.10 is business server ip on dmz. it should be accessed from both internet and local users.

and business app server should be accessing another server in local.

static (businessapp,internet) 198.65.34.27 172.16.24.10 netmask 255.255.255.255

static (businessapp,local) 172.16.15.0 172.16.24.1

static (local,businessapp)  172.16.15.25 172.16.24.1 netmask 255.255.255.255

first static should allow internet user to access server.

second static , is what is for server to be allowed for local users.

static third, will permit businessapp server to go for a server on local side.

please help if this is wrong.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to suthomas1

‎12-22-2010 02:28 PM

Yes, whether you have same or different security levels, you still need to configure the static 1:1 translation (static to itself) --> no translation

For traffic between same security level however, if you do not have any ACL applied to the interfaces, they can flow freely without requiring any ACL.

For traffic iniated from high to low security level, you also do not need ACL applied to the interface, and it can flow from high to low security level interfaces.

For traffic initiated from low to high security level, you would need to have ACL applied to the low security level interface before any traffic can flow from low to high.

Further to that, for interfaces with same security level, you would need to configure the following:

"same-security-traffic permit inter-interface"

Hope that answers your question.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Michael Wollner
Community Member

‎12-21-2010 02:33 AM

Hi,

What Type of Cisco ASA you use? There are some restrictions with the Base Licence of the Cisco ASA 5505

Table 3-1     License Restrictions on Active VLANs

License Type
Mode
Connections

Base Platform

Transparent Mode

Up to two active VLANs.

Routed Mode

Up to three active VLANs. The DMZ VLAN is restricted from initiating traffic to the inside VLAN.

Security Plus License

Transparent Mode

Up to three active VLANs, one of which must be used for failover.

Routed Mode

Up to 20 active VLANs. For example, you can allocate each physical port  to a separate VLAN, such as Outside, DMZ 1, DMZ 2, Engineering, Sales,  Customer Service, Finance, and HR. Becuase there are only 8 physical  ports, the additional VLANs are useful for assigning to trunk ports,  which aggregate multiple VLANs on a single physical port.

mfg

Michael

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-21-2010 02:55 AM

You have your security level the other way round for the internet and local interfaces.

internet should have the lowest security level, ie: 0
local should have the highest security level, ie: 100

First static line is correct, to allow internet user to access the server.


Second static line is incorrect, because you can never have ip address of 172.16.15.0 when your subnet mask is /24, and you can never NAT the interface ip address (172.16.24.1).

Third static line is also incorrect, as you can't NAT the actual businessapp interface ip address (172.16.24.1).

If you would like connectivity between "businessapp" and "local" subnet, then you would need to configure the following static NAT statement:
static (local,businessapp) 172.16.15.0 172.16.15.0 netmask 255.255.255.0
--> this is assuming that you change the security level around as advised above.

Go to solution
suthomas1
Level 7
Level 7
In response to Jennifer Halim

‎12-21-2010 08:00 AM

Yes, the security levels are as pointed by you. it was my mistake to write it wrongly.

I have read documents on these, but i have problem in getting this right. how to determine which interface comes first within static (1,2) when static statement is written.

in this case, i see it uses same subnet in both places. what does this mean and why isnt it something similar what was defined for internet & dmz related rules where both addresses were different.

static (local,businessapp) 172.16.15.0 172.16.15.0 netmask 255.255.255.0

if i need to contain the local & businessapp segment servers to certain access only , can i use an acl alongwith the static here, since the static above means all units in both local & businessapp can initiate traffic to each other.

Thank You.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to suthomas1

‎12-21-2010 02:20 PM

The static NAT statement is typically written in this order:

-- If you need to translate the address (ie: dmz and internet):

static (high security interface,low security interface) netmask

so it goes: static (high,low) low high --> this is to translate the ip address of the high security level

-- If you do not need to translate the address (ie: typically between 2 internal subnets, dmz and local), then you configure static 1:1 NAT to itself. Even though you do not want to translate the address, but you still need to configure the static NAT statement, but the static NAT statement will have any translation configured, it's just translation to itself:

static (high security interface,low security interface) netmask

so it goes: static (high,low) high high --> this is to NOT translate the ip address of the high security level subnet

You are absolutely correct: to provide certain access only between the local and businessapp server segments, you can use ACL.

Go to solution
suthomas1
Level 7
Level 7
In response to Jennifer Halim

‎12-22-2010 07:37 AM

Thanks Jennifer, that gave me a much clearer view.

So , the translation is defined for higher interfaces. Since we need to configure static NAT for levels requiring no translation ( as for dmz& local above ) , is it because of different security levels for both interfaces?

In a case where we have 2 equal security interfaces , do we still need static statement for them to communicate?

Thank you.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to suthomas1

‎12-22-2010 02:28 PM

Yes, whether you have same or different security levels, you still need to configure the static 1:1 translation (static to itself) --> no translation

For traffic between same security level however, if you do not have any ACL applied to the interfaces, they can flow freely without requiring any ACL.

For traffic iniated from high to low security level, you also do not need ACL applied to the interface, and it can flow from high to low security level interfaces.

For traffic initiated from low to high security level, you would need to have ACL applied to the low security level interface before any traffic can flow from low to high.

Further to that, for interfaces with same security level, you would need to configure the following:

"same-security-traffic permit inter-interface"

Hope that answers your question.

0 Helpful

Go to solution
suthomas1
Level 7
Level 7
In response to Jennifer Halim

‎12-22-2010 06:37 PM

Thanks Jennifer , those were good explanations!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card