Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
5
Helpful
1
Replies

ASA traffic tromboning

sprocket10
Level 2
Level 2

‎05-22-2018 07:31 AM - edited ‎02-21-2020 07:47 AM

 

We have several interfaces setup on our ASA 5516 with different security settings in the access lists. I have 2 of these interfaces that are causing me a head ache.

For example. Interface 1 (172.16.1.x corporate network) and Interface 3 (192.168.1.x dirty test network) are not allowed to talk to each other internally, they have a explicit deny in both ways. Both interfaces have Nat for different external ip addresses. The dirty test network has various test servers that allow external access. I need people in the corporate network to be able to access these test servers via the external ip addressing, like anyone else in the world. I assume the ASA is blocking this as it knows both networks and is being to cleaver. How do I allow access between these networks but only via the external IP?

Labels:
0 Helpful
1 Reply 1

mattjones03
Level 1
Level 1

‎05-22-2018 04:27 PM

Hi,

 

Here are a few options to consider;

 

1. Issue the command: ‘same-security-traffic infra-interface’ allowing you to trombone the outside interface. Ensure that any additional NAT’s are in place to facilitate this.

 

2. If the sites/services in the non-corporate network have an associated public DNS record, replicate this record in your internal DNS servers by pointing to the real (192.168.1.x) IP of the site/service. Ensure that you have the specific ACL permits in place between zones, and the relevant NAT’s in place (172.16.1.x <> 192.168.1 x).

 

3. Use the Cisco ASA rewrite option that will inject the internal/real IP of the site/service should a matching NAT be configured. This will ensure any DNS query originating from your corporate network to upstream DNS servers are provided the internal IP of the service. This is completed should an external DNS lookup be completed. Please read the following for further information on how to achieve this;

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html

 

Similarly to the other options, the required ACL’s and NAT’s would need to be in place to facilitate this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card