Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
781
Views
0
Helpful
5
Replies

ASA question

Go to solution
vishal.rane
Level 1
Level 1

‎04-02-2011 01:55 AM - edited ‎03-11-2019 01:15 PM

Hi

How can I allow a subnet on inside network for smtp and pop3 access and deny all other traffic without applying an ACL on inside interface.

Subnet : 192.168.100.0/24

allow only traffic SMTP and POP3

Email Service is hosted with ISP

Firewall is ASA 5510 ver 8.2

thanks

vishal

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to vishal.rane

‎04-02-2011 07:45 AM

Hello,

Using Policy Nat is a good Approach, the access lists on that example wont get you the access that you want, but the idea is fine. I want you to be aware that this does not eliminate the option that clients can send packets on those ports, but since the IP address where they are coming from is not routable, the packet will be drop in the first ISP router.

Something else that you need to be aware is that you should take in consideration your other nats, because if there is already a global using the interface keyword, you may need to create the NAT statement with the same ID, and by NAT order of operation, the most specific one (The one with the ACL) should take precedence.

Cheers

Mike

Mike

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to vishal.rane

‎04-02-2011 09:54 AM

As Mike says this would work but i still don't fully understand why you simply don't use an acl.  Think of it like this. If another person ends up mainting the firewall and looks at the config with an acl it is obvious what you want to do. With policy NAT it may achieve the same thing but it won't be that obvious as to why it has been done.

It is an oblique way to deny access from the inside when you have a perfectly good way to achieve the same thing with an access-list.

Having said that it will stop these clients accessing anything other than what you want, although again as Mike says, not with the config you posted. So my statement saying it can't be done was wrong. Apologies for that. I just don't tend to think of NAT as a control/restriction tool rather an IP preservation tool.

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-02-2011 05:45 AM 

vishal.rane wrote:
Hi
How can I allow a subnet on inside network for smtp and pop3 access and deny all other traffic without applying an ACL on inside interface.
Subnet : 192.168.100.0/24
allow only traffic SMTP and POP3
Email Service is hosted with ISP
Firewall is ASA 5510 ver 8.2
thanks
vishal

Vishal

You can't without a an access-list. If you don't want to apply an acl to the inside interface you could apply an acl outbound on the outside interface but i would recommend using an acl inbound on the inside interface. That is after all what firewalls are for ie. controlling access and the main way ASAs do this is by using acls.

The acl would be very straightforward ie.

access-list inside_out permit tcp 192.168.100.0 255.255.255.0 host eq 25

access-list inside_out permit tcp 192.168.100.0 255.255.255.0 host eq 110

access-list inside_out deny ip 192.168.100.0 255.255.255.0 any

access-list inside_out permit ip any any

access-group inside_out in interface inside

Jon

0 Helpful

Go to solution
vishal.rane
Level 1
Level 1
In response to Jon Marshall

‎04-02-2011 06:51 AM

Hi

Cisco Technical Engineer suggestd to apply ACL with a NAT statement, this would avoid applying ACL on Inside interface.

nat (inside) 5 access-list 111
global (outside) 5 interface

access-l 111 deny  tcp 192.168.100.0 255.255.252.0 any eq 8080
access-l 111 deny  tcp 192.168.100.0 255.255.252.0 any eq 80
access-l 111 deny  tcp 192.168.100.0 255.255.252.0 any eq 443
access-l 111 permit ip 192.168.100.0 255.255.252.0 any

Any Comments

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to vishal.rane

‎04-02-2011 07:45 AM

Hello,

Using Policy Nat is a good Approach, the access lists on that example wont get you the access that you want, but the idea is fine. I want you to be aware that this does not eliminate the option that clients can send packets on those ports, but since the IP address where they are coming from is not routable, the packet will be drop in the first ISP router.

Something else that you need to be aware is that you should take in consideration your other nats, because if there is already a global using the interface keyword, you may need to create the NAT statement with the same ID, and by NAT order of operation, the most specific one (The one with the ACL) should take precedence.

Cheers

Mike

Mike
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to vishal.rane

‎04-02-2011 09:54 AM

As Mike says this would work but i still don't fully understand why you simply don't use an acl.  Think of it like this. If another person ends up mainting the firewall and looks at the config with an acl it is obvious what you want to do. With policy NAT it may achieve the same thing but it won't be that obvious as to why it has been done.

It is an oblique way to deny access from the inside when you have a perfectly good way to achieve the same thing with an access-list.

Having said that it will stop these clients accessing anything other than what you want, although again as Mike says, not with the config you posted. So my statement saying it can't be done was wrong. Apologies for that. I just don't tend to think of NAT as a control/restriction tool rather an IP preservation tool.

Jon

0 Helpful

Go to solution
vishal.rane
Level 1
Level 1
In response to Jon Marshall

‎04-02-2011 10:25 PM

Jon & Mike thanks.

Jon I am convinced  on your reply so gonna apply  ACL on inside

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card