Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
0
Helpful
4
Replies

ASA- PAT

Srinivasan Nagarajan
Level 1
Level 1

‎06-04-2018 09:28 PM - edited ‎02-21-2020 07:50 AM

Hi Experts,

 

 We've 3 zones called Inside, DMZ and Outside. We're doing PAT for  Inside users to reach out to Internet using External Interface public IP .

 

We've applied ACL's on all interfaces (In->Out, Out-In, Out-DMZ, DMZ-In).

 

My query is, I see only PAT rules in place to happen and NO ACL on Inside Interface to allow the traffic on firewall . Since there is implicit deny at the very end of ACL, by default it'll drop and not sure how it works.  Even in Cisco docs, I don't see any ACL's being configured or mentioned related to PAT. Please assist

 

object network inside-subnet
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic interface

 

 

Regards,

Srinivasan

Labels:
0 Helpful
4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

‎06-05-2018 12:44 AM

Hi there,

Your inside interface should have a higher security level than the outside interface. This allows a device residing in a higher security level to acess a device on a lower security level interface.

If you want to control this behaviour you would use an ACL and access-group.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-intro.html#53931

 

cheers,

Seb.

 

0 Helpful

Srinivasan Nagarajan
Level 1
Level 1
In response to Seb Rupik

‎06-05-2018 02:20 PM

Hi Seb,

  Thanks for the reply. As I mentioned earlier, We already have ACL's applied in all interfaces and we have PAT as well for reaching out to Internet. 

 But we don't see any ACL's relating to PAT applied @ Inside interface to allow the traffic . Not sure, please assist.

 

 

Regards,

Srinivas

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Srinivasan Nagarajan

‎06-06-2018 04:16 AM

Hi there,

If you have no ACL applied on the inside interface (as you said in the first post), then the ASA will use the security-level configured to determine what can be accessed, either between 'inside' private IP interfaces or via the 'outside' public IP interface that would require PAT.

 

Please provide a sanitised config if you need further explanation.

 

cheers,

Seb.

0 Helpful

Srinivasan Nagarajan
Level 1
Level 1
In response to Seb Rupik

‎06-06-2018 03:10 PM - edited ‎06-07-2018 12:05 PM

Hi, Below config for reference We've applied ACL's applied @ Inside Interface but no config related to  PAT. Will PAT work without ACL's . Please assist

 

object-group network Internal_IP
description Corporate network
network-object object Corporate-Servers-172.22.1.0
network-object object DesktopAccess-172.22.116.0
network-object object Desktop-wireless-172.22.112.0
network-object object Desktop-access-B3-172.22.82.0

 

 nat (Inside,Internet) source dynamic Internal_IP interface

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card