Solved: Re: ASA Firewall inside <---> outside access

virgoboy009 · ‎04-13-2011

Hello Guys,

I am facing difficulty in configuring ASA 8.0 Firewall to allow access from inside to outside.

Please refer the following network overview below.

(10.2.1.10) (inside-sec100) (172.16.31.1) (10.241.2.2/30)

PC -------------L3- switch-------10.2.1.2 -ASA FW ---172.16.31.2------- RouterA---10.241.2.1/30---- MPLS ISP cloud---10.241.2.6/30---RouterB(10.241.2.5/30

(10.2.1.1/24) (Outside-sec0) |

|

L3-Sw

10.4.40.1

10.4.70.1

I would like to explain the scenario in detail below.

From Router A to ISP end for MPLS network has been configured with BGP routing protocol.

From Router B to ISP end for MPLS network has been configured with BGP routing protocol.

After configring BGP on Router A & B , I am able to ping from Router A to Router B Lan subnets ...10.4.40.1 & 10.4.70.1.

Now i want to ping the 10.4.40.1 & 10.4.70.1 from PC via firewall.

Firewall configuration :

int ethernet 0/0

ip add 10.2.1.2 255.255.255.0

no shut

nameif inside

!

Int ether 0/1

ip add 172.16.31.2 255.255.255.0

no shut

nameif outside

!

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.16.31.1 1
route outside 10.241.2.0 255.255.255.252 172.16.31.1 1

After this configuration, only after i give the below acl i am able to ping from PC to 10.4.40.1 & 10.4.70.1 .

access-list acl-outside extended permit ip any any
access-group acl-outside in interface outside

Query 1 : But i want to allow only a certain ips to be allowed for example : 10.2.1.10 and 10.2.1.20 from inside to reach 10.4.40.1 & 10.4.70.1.

and deny other 10.2.1.0 subnet to access 10.4.40.1 & 10.4.70.1 as i donot want to use permit ip any any.

Query2: If do not use the below Global nat commands , will i be able to reach 10.4.40.1 & 10.4.70.1 from inside using acl and routing..if yes how do i confiure?

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Query 3: I want to configure access from 10.4.40.1 and 10.4.70.1 to reach 10.2.1.10(PC ip address) , how do i confiure this?

I am thinking that we may use static nat in the below manner along with acl.

static (outside,inside) 172.16.31.3 10.4.40.1 netmask 255.255.255.255 0 0 ( 172.16.31.3 is from outside ip pool)

acl acl-outside extended permit ip host 172.16.31.3 host 10.2.1.10

Query 4: I want to configure access from 10.4.40.1 and 10.4.70.1 to reach 10.2.1.10(PC ip address) on port 80,443,icmp how do i confiure this?

static (outside,inside) 172.16.31.3 10.4.40.1 netmask 255.255.255.255 0 0 ( 172.16.31.3 is from outside ip pool)

acl acl-outside extended permit tcp host 172.16.31.3 host 10.2.1.10 eq 80

acl acl-outside extended permit tcp host 172.16.31.3 host 10.2.1.10 eq 443

acl acl-outside extended permit tcp host 172.16.31.3 host 10.2.1.10 eq icmp

access-group acl-outside in interface outside

Please help me with all your suggestions and configurations for al the queries.

Regards,

KA.

Somanna M.P · ‎04-15-2011

Karim,

Query 1 : Inspection does not mean that all the hosts on the inside are allowed access to the outside. Inspection ensures that the traffic is allowed from outside to inside only for the connections that are initiated from the inside of the firewall. Using noNAT would be an option to limit the inside users to access the internet only because the private IP addresses are not routable on the internet. A better way to limit them would be by using a simple ACL on the inside interface.

You are right. The commands:

instead of it can i use nat (inside) 0 access-list noNat

access-list noNat permit ip host 10.2.1.10 host 213.42.76.x ...... ( 213.42.x.x is a public ip )

Will not nat the 10.2.1.10 host only when he is trying to access 213.42.76.x .

Query 2: To configure a static NAT from outside to inside the first set of commands is the correct configuration:

static (outside,inside) 172.16.31.3 10.4.40.1 netmask 255.255.255.255

acl acl-outside extended permit tcp host 10.4.40.1 host 10.2.1.10 eq 80

This config means that the host 10.4.40.1 on the outside will be seen as 172.16.31.3 on the inside. This should explain more on this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#s11

Hope this helps. Please let me know if you have any further doubts on this.

Regards,

Som

P.S.: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks

View solution in original post

Somanna M.P · ‎04-14-2011

Hi Karim,

Query 1: For inside to outside access you do not need an access-list on the outside. But you need to configure inspection. inspection maintains a connection entry and allows reverse traffic from outside to inside. Please enter the command "Fixup rpotocol icmp" and try to ping from inside to outside without the access-list on the outside interface.

Query 2: if you do not want to configure the nat and global you can configure a static identity nat. This essentially nats the actual IP address to itself the command would be like: static ( inside, outside) 10.2.1.10 10.2.1.10 and static ( inside, outside) 10.2.1.10 10.2.1.10 . This is needed because one of the basice rules on a firewall is that you need a nat(static or (nat and global)) for the source IP address when we are going from a higher security interface to a lower security interface.

Query 3:If you want to allow outside users to be able to access the inside host you need a nat for the source and an access-list on the outside allowing the actual IP address of the source. So the coinfig would go like:

static (outside,inside) 172.16.31.3 10.4.40.1 netmask 255.255.255.255 0 0

acl acl-outside extended permit tcp host 10.4.40.1 host 10.2.1.10 eq 80

acl acl-outside extended permit tcp host 10.4.40.1 host 10.2.1.10 eq 443

acl acl-outside extended permit tcp host 10.4.40.1 host 10.2.1.10 eq icmp

access-group acl-outside in interface outside

Query 4: The acces-list on the ouside needs to allow the actual IP address of the source to the destination IP and the respective host:

acl acl-outside extended permit tcp host 10.4.40.1 host 10.2.1.10 eq 80

acl acl-outside extended permit tcp host 10.4.40.1 host 10.2.1.10 eq 443

acl acl-outside extended permit tcp host 10.4.40.1 host 10.2.1.10 eq icmp

access-group acl-outside in interface outside

The following link should help you in the nat config:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Here are some access-list config examples:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/nwaccess.html

Please let me know if this helps!

Regards,

Som

PS: Please mark the question as resolved if it is answered. Do rate helpful posts. Thanks.

virgoboy009 · ‎04-15-2011

Hello Somanna ,

Great thanks for your posts and it really helped me understand the Firewall setup.

I have got couple of doubts which i want to clarify with you .

Query 1: Instead of usingor typing Inspect icmp or Fixup rpotocol icmp on ASA which i guess allows all inside hosts to ping outisde network

instead of it can i use nat (inside) 0 access-list noNat

access-list noNat permit ip host 10.2.1.10 host 213.42.76.x ...... ( 213.42.x.x is a public ip )

I guess with this command nat doesnt invlove 10.2.1.0 for nat translation and directly ping public ip.

Am i correct in this ...please explain me ....

Query 2: I am quite confsed in setting static nat from outside to inisde.

static (outside,inside) 172.16.31.3 10.4.40.1 netmask 255.255.255.255 0 0 .....here 10.4.40.1 is outisde ip and 172.16.31.3 FW outisde ip pool

acl acl-outside extended permit tcp host 10.4.40.1 host 10.2.1.10 eq 80 ......> 10.2.1.10 is inside pc ip.

or

static (inside,outisde) 172.16.31.3 10.4.40.1 netmask 255.255.255.255 0 0

acl acl-outside extended permit tcp host 10.4.40.1 host 10.2.1.10 eq 80

To write a static Nat for outside to inside which one of the above is correct interms of syntax? Please help me to understand.

Any other friends ..please do suggest your comments on my posts.

Thank you so much Somanna for your posts.

Regards,

KA.

Somanna M.P · ‎04-15-2011

Karim,

Query 1 : Inspection does not mean that all the hosts on the inside are allowed access to the outside. Inspection ensures that the traffic is allowed from outside to inside only for the connections that are initiated from the inside of the firewall. Using noNAT would be an option to limit the inside users to access the internet only because the private IP addresses are not routable on the internet. A better way to limit them would be by using a simple ACL on the inside interface.

You are right. The commands:

instead of it can i use nat (inside) 0 access-list noNat

access-list noNat permit ip host 10.2.1.10 host 213.42.76.x ...... ( 213.42.x.x is a public ip )

Will not nat the 10.2.1.10 host only when he is trying to access 213.42.76.x .

Query 2: To configure a static NAT from outside to inside the first set of commands is the correct configuration:

static (outside,inside) 172.16.31.3 10.4.40.1 netmask 255.255.255.255

acl acl-outside extended permit tcp host 10.4.40.1 host 10.2.1.10 eq 80

This config means that the host 10.4.40.1 on the outside will be seen as 172.16.31.3 on the inside. This should explain more on this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#s11

Hope this helps. Please let me know if you have any further doubts on this.

Regards,

Som

P.S.: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks

virgoboy009 · ‎04-17-2011

hello,

Thank you for the explanation and it really helped to solve my query!

Regards,

KA.