ASA 5505, Static NAT + ACLs

jose cortes · ‎05-26-2011

Hi everybody,

Currently a customer has all theLAN devices using a router as the Default Gateway. The router also do the Dynamic NAT to the internet access and has NAT/PAT rules to publish some services like HTTP and FTP. As I know the router will permit all the incoming traffic in all its interfaces without restrictions at less there is an ACLs that restrict the incoming traffic on an specific interface.

Now the customer has bought a brand new ASA and wants to use it as the default gateway for the entiery LAN. This means, the ASA will have the internet connection and will be the responsible for the NAT/PAT process. I have configured the NAT/PAT rules already following the current router configuration, but:

I need to know if I have to configure ACLs allowing the incomiing traffic on th Outside interface for the services I NATed.

Down below are the configurations for the ASA and the Router.

The router Configuration is:

!

interface FastEthernet0/0
ip address 10.0.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed auto
full-duplex
no cdp enable
!

!

interface Serial0/0
bandwidth 1536
ip address 74.xxx.xxx.154 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
service-policy output VOIP
!

no ip nat service skinny tcp port 2000
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static tcp 10.0.0.1 143 74.xxx.xxx.154 25 extendable
ip nat inside source static tcp 10.0.0.1 25 74.xxx.xxx.154 25 extendable
ip nat inside source static tcp 10.0.0.1 80 74.xxx.xxx.154 80 extendable
ip nat inside source static tcp 10.0.0.1 443 74.xxx.xxx.154 443 extendable
ip nat inside source static tcp 10.0.0.100 3389 74.xxx.xxx.154 3389 extendable
ip nat inside source static tcp 10.0.0.1 4125 74.xxx.xxx.154 4125 extendable
ip nat inside source static tcp 10.0.0.1 21 74.xxx.xxx.154 21 extendable
ip nat inside source static tcp 10.0.0.5 3390 74.xxx.xxx.154 3390 extendable

!

access-list 1 permit 10.0.0.0 0.0.0.255

The ASA configuration (without ACLs):

interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.250 255.255.255.0

!

interface Vlan3

nameif outside

security-level 0

ip address 74.xxx.xxx.154 255.255.255.248

!

global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 10.0.0.0 255.255.255.0
static (inside,outside) tcp interface www 10.0.0.1 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.0.0.1 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.0.0.1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.0.0.100 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 10.0.0.1 4125 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 10.0.0.1 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 3390 10.0.0.5 3390 netmask 255.255.255.255

Thanks in advance

Jose

Allen P Chen · ‎05-26-2011

Hello,

Since the outside interface is configured with security level 0, while the inside interface is configured with security level 100, by default the ASA will not permit traffic from lower security level to higher security level without an ACL. So yes, an ACL will need to be configured for the outside interface to allow users on the outside to access internal resources.

Here is a document with sample configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml#open

Hope this helps.