cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

409
Views
0
Helpful
4
Replies

ASA- PAT

Hi Experts,

 

 We've 3 zones called Inside, DMZ and Outside. We're doing PAT for  Inside users to reach out to Internet using External Interface public IP .

 

We've applied ACL's on all interfaces (In->Out, Out-In, Out-DMZ, DMZ-In).

 

My query is, I see only PAT rules in place to happen and NO ACL on Inside Interface to allow the traffic on firewall . Since there is implicit deny at the very end of ACL, by default it'll drop and not sure how it works.  Even in Cisco docs, I don't see any ACL's being configured or mentioned related to PAT. Please assist

 

object network inside-subnet
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic interface

 

 

Regards,

Srinivasan

4 REPLIES 4
Seb Rupik
VIP Advisor

Hi there,

Your inside interface should have a higher security level than the outside interface. This allows a device residing in a higher security level to acess a device on a lower security level interface.

If you want to control this behaviour you would use an ACL and access-group.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-intro.html#53931

 

cheers,

Seb.

 

Hi Seb,

  Thanks for the reply. As I mentioned earlier, We already have ACL's applied in all interfaces and we have PAT as well for reaching out to Internet. 

 But we don't see any ACL's relating to PAT applied @ Inside interface to allow the traffic . Not sure, please assist.

 

 

Regards,

Srinivas

Hi there,

If you have no ACL applied on the inside interface (as you said in the first post), then the ASA will use the security-level configured to determine what can be accessed, either between 'inside' private IP interfaces or via the 'outside' public IP interface that would require PAT.

 

Please provide a sanitised config if you need further explanation.

 

cheers,

Seb.

Hi, Below config for reference We've applied ACL's applied @ Inside Interface but no config related to  PAT. Will PAT work without ACL's . Please assist

 

object-group network Internal_IP
description Corporate network
network-object object Corporate-Servers-172.22.1.0
network-object object DesktopAccess-172.22.116.0
network-object object Desktop-wireless-172.22.112.0
network-object object Desktop-access-B3-172.22.82.0

 

 nat (Inside,Internet) source dynamic Internal_IP interface

 

 

Content for Community-Ad