06-27-2011 11:49 PM - edited 03-11-2019 01:51 PM
Hello Guys,
Please suggest me to configure the standard way to configure my ASA FW for the below requirment.
Following is requirement :-
1) Inside to outside network no nat should be used.
2) Outside to Inside No nat should be used.
10.2.1.1 Layer 3 interface Router
Coreswitch--10.2.1.2.inside.FW..Out172.16.31.2......172.16.31.1 RouterA--10.241.2.1....10.241.2.2..ISP_MPLS.......ISP.10.241.2.X....Vendor..10.4.x.x
Currently I have another few subnets within my Coreswitch 10.1.200.X and 10.1.222.X to be accessed to vendor network with out Nat translation and also the Vendor traffic from 10.4.x.x outside network shoould be allowed with out NAT to be accessed to 10.1.200.x network.
Pleae suggest me the required config for end -end routing/NAT/ACL..
Please note that from router to ISP on both sides E-Bgp configured and on router A i can get all the Vendor Router inside networks published via E-bgp.
Also i can ping from router A to vendor inside network 10.4.x.x.
Subnets are
172.16.31.0/24
10.2.1.0/24
Appreciate your high efforts.
Thanks and Regards,
KA.
Please suggest me the required changes on ASA
06-28-2011 01:18 AM
Hello!
1) No natting from inside to outside:
access-list nonat_inside permit ip 10.2.1.0 255.255.255.0 any
access-list nonat_inside permit ip 10.1.200.0 255.255.255.0 any
access-list nonat_inside permit ip 10.1.222.0 255.255.255.0 any
nat (inside) 0 access-list nonat_insisde
2 No natting from outside to inside:
static (inside,outside) 10.2.1.0 10.2.1.0 netmask 255.255.255.0
static (inside,outside) 10.1.200.0 10.1.200.0 netmask 255.255.255.0
static (inside,outside) 10.1.222.0 10.1.222.0 netmask 255.255.255.0
And then you must have a access-list applied to outside interface wich permits the traffic that is allowed to go to inside.
Regards
Paul
06-28-2011 02:48 AM
Hello Paul,
Thank you for the reply!
I have one doubt here on your below NAT statement for NAT outside to inside.
2No natting from outside to inside:
static (inside,outside) 10.2.1.0 10.2.1.0 netmask 255.255.255.0
static (inside,outside) 10.1.200.0 10.1.200.0 netmask 255.255.255.0
static (inside,outside) 10.1.222.0 10.1.222.0 netmask 255.255.255.0
IS the Static command should be
static (outside,inside) 10.4.x.0 172.16.31.0 netmask 255.255.255.0..?
here 10.4.x.0 is Vendor network subnet and 172.16.31.0 is MY FW outside subnet
if not what scenarios the command will be
static (inside,outside) 10.1.200.0 10.1.200.0 netmask 255.255.255.0 for this requirement.
please let me know how we can use static ( inside, outside) ...to inititate traffic from outside to inside and what ACL should be used in regards to source to destintion for applying on in traffic for outside interface of FW.
Appreciate your help.
Regards,
KA.
07-08-2011 03:34 PM
Hi Karim,
Are you going to have any NAT configured at all on the firewall? If there is none configured, there is no need for the static or nat 0 statements above (given nat-control is disabled). All you need are ACLs on the outside interface to allow outside subnets to access the inside networks.
Regards,
Prapanch
07-13-2011 06:00 AM
Prapanch,
With 8.4 there is no "nat-control" AFAIK. Can I configure an 8.4 ASA without any NAT commands at all and expect traffic to traverse the device (with appropriate ACLs)?
I was under the impression from the docs that you must at least do Identity NAT.
07-13-2011 06:07 AM
Hi Josh,
There is no concept of nat-control post 8.3 versions, so yes you would need atleast a identity nat configuration to pass the traffic through ASA. Kindly let me know if you need any config help.
Varun
07-13-2011 06:28 AM
Thank you Varun,
Here is what I am doing:
Customer -> ASA 5520 -> 3750X -> PIX -> Internet
I am protecting the "3750X" portion of the network from the Customer network. The customer uses the Internet through the PIX. There cannot be any NAT at all on the ASA.
I have some of this going on which seems to be the appropriate Identity NAT:
object network Inet
subnet 0.0.0.0 0.0.0.0
object network Inet
nat (3750x,customer) static 0.0.0.0
My ACLs are permit IP any any on both interfaces. Customer has the lower security level.
=======
Connectivity from the Customer to the Internet is very spotty. It almost looks like an MTU issue - some websites load, others do not, pings are good to go everywhere. When I replace that ASA with a Cisco router, everything works great.
I want the ASA to behave like a router (no NAT) but provide nice ACL, packet inspection and logging features. I could do this easily in the past with an ASA using "nat 0" or "no nat-control."
Thoughts?
07-13-2011 11:04 AM
Hi Josh,
You would need the following nat config to exempt all customer network:
Lets say your customer network has 3 networks:
192.168.1.0
192.168.2.0
192.168.3.0
and youi want to exempt these networks completely:
Then you would need:
object-group network internal_subnets
network-object subnet 192.168.1.0 255.255.255.0
network-object subnet 192.168.2.0 255.255.255.0
network-object subnet 192.168.3.0 255.255.255.0
nat (inside,outside) source static internal_subnets internal_subnets (assuming your cust network is on the inside interafce)
Thats it.....
You just need these nats.
Thanks,
Varun
07-13-2011 11:06 AM
Consider that the entire Internet is "internal" in this configuration. The customer is "external" and the 3750x areas + the Internet are "internal".
07-13-2011 11:10 AM
Josh,
Is that wat you are referring to:
Customer----------outside(ASA)inside---------3750-------------inside(PIX)outside---------------Internet
Then also no worries:
nat (outside,inside) source static internal_subnets internal_subnets
Thats it...
Hope this helps
Thanks,
Varun
07-13-2011 11:12 AM
And by internal_subnets do you mean 0.0.0.0/0? If I only list the actual subnets in the 3750x area, the customer will not be able to reach the Internet.
07-13-2011 11:14 AM
Or would it be:
nat (outside,inside) source static customer_subnets customer_subnets
07-13-2011 11:16 AM
I mean the customer_subnets, the one that I mentioned in the configuration. On the PIX device you must be having a nat statement, something like:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1
so this would give internet access to all IP addresses on the inside.
Varun
07-13-2011 11:19 AM
I will give that a try next week and come back here to let you know. Yes the PIX is NATing to the Internet.
Thanks!
- Josh
07-13-2011 11:21 AM
No problem Josh!!!!!
If you ahve any issues, do post ot to me.
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide