Solved: Re: asa inbound access - Page 2

techkamleshs · ‎01-19-2011

hi

i am confused if we arehaving a public ip 199.X.X.11 of inside server given to its nic and is behind asa inside and asa external range doesnot fall into that will i be able to access this server from outside .the access list is applied on the outside for the public ip 199.X.X.11 for dest port 80 and ISP has a route pinting tothe firewall for the server public ip .also is static required in asa ? sorry if this is basic as am new to cisco and donot know about this

asa external ip - 64.X.X.9

internal server ---(inside )fw(outside)--ISP---internet---user

techkamleshs · ‎02-03-2011

hi jennifer

thanks for your reply again . i know that with the below static the identity source translation will also happen from private to public . but i am not concerned for outbound . my requirment is only for inbound and i want to understand natcontrol . the theory in the documentation is coming against what i am observing in practical . i removed all the nat statements frm firewall and also did a "no nat-control" and without any NAT in my config , i am able to ping from outside to in on 199.X.X.11 which should not happen

static (private,public) 199.X.X.11 199.X.X.11

- With "no nat-control" and without any NAT statements on firewall and just inbound ACL for 199.X.X.11 , i can ping inbound to 199.X.X.11 without any static

- With "nat-control" and without any NAT statements on firewall and just inbound ACL for 199.X.X.11 , i cannot ping without static command being in place

so like i said , NAT control is affecting Static NAT. the document should not be telling that "NAT control does not affect static NAT "

Jennifer Halim · ‎02-03-2011

It is not affecting the static nat statement.

If you have the command "no nat-control", it will allow inbound connection without any static nat statement, because there is no control over any of the nat statements.

If you however have "nat-control", or any of the NAT statement with "no nat-control", it will impose the old translation rule where by you would need to configure static nat statement for inbound traffic.

"nat-control" is a new feature from version 7.0 onwards. The old version of PIX (6.3 and below), there is no nat-control feature, and static nat statement is imposed for all inbound connection from low to high security level.

techkamleshs · ‎02-04-2011

hi

"If you have the command "no nat-control", it will allow inbound connection without any static nat statement, because there is no control over any of the nat statements."

consider that fw doesnot have any nat command in it and no nat-control configured . now i put just nat-control without any nat statements . so isnt the natcontrol only for outbound traffic i.e from inside to outside ? so why do we need to put static for inbound traffic at this point of time . if nat-control is independent of static and only meant for outbound traffic , why static is required ?

Jennifer Halim · ‎02-05-2011

As I said earlier, disabling NAT with "no nat-control" is a new feature, and prior to the availability of this particular command, you will need to configure static NAT statement for inbound (from low to high security level) and there is no other option.

Enabling "nat-control" brings back the old rule of having to have the static NAT statement for inbound traffic. This is the design for the ASA, and those are the design rule and how you configure it.