Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
0
Helpful
6
Replies

Help with ASA5505 Config, Range Fordwarding, VLAN-VLAN Access

Go to solution
Griff...J
Level 1
Level 1

‎08-15-2013 11:59 AM - edited ‎03-11-2019 07:26 PM

UPDATE:  I am looking into increasing our /29 outside subnet to a larger one (we've used all our current IPs).  Having more IPs will mean I can do 1:1 NAT and the port range forwarding will be a moot point..   Oh also turns out our teleworker server it requires 1:1 NAT anyway..

====

           

Hello, I'd like any help people could provide achieving the following goals with my ASA5505 Config.

Goals:

1) Clean the code. Are there areas such as network objects that I can condense, like the PPTP object?

2) Allow traffic for DNS, from vlan15(guestnet) to vlan1(inside) 172.21.37.16 and .11

3) Learn how to Port RANGE forward on vlan2(outside) to vlan35(phonesys) for Teleworker Phones.

69 UDP
3998-3999 TCP
6004-6261 UDP
6800-6802 TCP
20001 UDP
50098-50508 UDP


Outside network from ISP:
IP Range: 10.10.39.8/29
ISP Router: 10.10.39.9
OUR Router: 10.10.39.10
(used 10.10.* instead of actual)

ASA5505, Running OS version 9.1(1)
Licensing is Security Plus with Unlimited Hosts.
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,15,35
switchport trunk native vlan 1
switchport mode trunk
--snip--
interface Vlan1
nameif inside
security-level 100
ip address 172.21.36.1 255.255.252.0    (**NOTE: /22 network)
**I know, not normal. It's what I adopted when I took this job. 
172.21.36.* Network Equipment
172.21.37.* Servers
172.21.38.* DHCP
172.21.39.* None used currently.
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.39.10 255.255.255.248 
!
interface Vlan15
nameif guestnet
security-level 50
ip address 172.21.15.1 255.255.255.0 
!
interface Vlan35
nameif phonesys
security-level 100
ip address 172.21.35.1 255.255.255.0 
--snip--
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network guest_net
subnet 0.0.0.0 0.0.0.0
object network phone_sys
subnet 0.0.0.0 0.0.0.0
object network mdaemon_in
host 172.21.37.14
object network sightmax_in
host 172.21.37.24
object network rs-web_in
host 172.21.37.17
object network mdaemon_out
host 10.10.39.11
object network sightmax_out
host 10.10.39.12
object network rs-web_out
host 10.10.39.13
object network pptp_1723
host 172.21.37.20
object network pptp_47
host 172.21.37.20
object network uca_443
host 172.21.35.13
--snip--
access-list outside_in extended permit tcp any object mdaemon_in eq smtp 
access-list outside_in extended permit tcp any object mdaemon_in eq https 
access-list outside_in extended permit tcp any object mdaemon_in eq 465 
access-list outside_in extended permit tcp any object mdaemon_in eq 993 
access-list outside_in extended permit tcp any object mdaemon_in eq 1001 
access-list outside_in extended permit tcp any object sightmax_in eq www 
access-list outside_in extended permit tcp any object sightmax_in eq https 
access-list outside_in extended permit tcp any object rs-web_in eq www 
access-list outside_in extended permit tcp any object rs-web_in eq https 
access-list outside_in extended permit tcp any object pptp_1723 eq pptp 
access-list outside_in extended permit tcp any object pptp_47 eq 47 
access-list outside_in extended permit tcp any object uca_443 eq https
access-list outside_in extended permit icmp any any echo-reply 
access-list outside_in extended permit icmp any any time-exceeded 
access-list outside_in extended permit icmp any any unreachable 
--snip--
object network obj_any
nat (inside,outside) dynamic interface
object network guest_net
nat (guestnet,outside) dynamic interface
object network phone_sys
nat (phonesys,outside) dynamic interface
object network mdaemon_in
nat (inside,outside) static mdaemon_out
object network sightmax_in
nat (inside,outside) static sightmax_out
object network rs-web_in
nat (inside,outside) static rs-web_out
object network pptp_1723
nat (inside,outside) static interface service tcp pptp pptp 
object network pptp_47
nat (inside,outside) static interface service tcp 47 47
object network uca_443
nat (phonesys,outside) static interface service tcp https https 
access-group outside_in in interface outside
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Griff...J

‎08-19-2013 09:30 AM

Hi,

There is no way to configure several Static PAT (Port Forward) with one or only a few "nat" commands.

Each forwarded port with Static PAT will require its own NAT configuration.

Only exception is a situation where you have a continuous range of ports which usually IS NOT the case.

Naturally the simplest configuration can be achieved by using Static NAT but that naturally requires you to have extra public IP addresses for the server.

To allow certain traffic to your internal (NATed) hosts you can naturally group services under certain "object-group" to configure less actual ACL lines/rules on your firewall.

To allow the DNS traffic from GUEST to INSIDE you need to apply an ACL to the GUEST interface and allow this DNS traffic. If you don't want to allow any other traffic from GUEST to INSIDE then you will next have to block all traffic from GUEST to INSIDE. Finally you will have to allow all other traffic to allow Internet connectivity.

As a very simple example

access-list GUESTNET-IN remark Allow GUEST to INSIDE DNS

access-list GUESTNET-IN permit udp 172.21.15.0 255.255.255.0 host 172.21.37.16

access-list GUESTNET-IN permit udp 172.21.15.0 255.255.255.0 host 172.21.37.11

access-list GUESTNET-IN remark Deny All Other GUEST to INSIDE Traffic

access-list GUESTNET-IN deny ip any 172.21.36.0 255.255.252.0

access-list GUESTNET-IN remark Allow All Other Traffic for GUEST

access-list GUESTNET-IN permit ip 172.21.15.0 255.255.255.0 any

access-group GUESTNET-IN in interface guestnet

Do notice that the above ACL only takes into account limiting traffic to INSIDE (except for the DNS traffic) but allows traffic towards any other interface of the ASA.

Since we are talking about the newer software levels (related to NAT operation) that means you wont need any additional NAT configurations between the GUEST and INSIDE. They should be able to communicate between eachother wihtout any additional NAT configurations.

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Griff...J
Level 1
Level 1

‎08-19-2013 09:11 AM

Being shameless and maybe I'm breaking the rules but I'm bumping this to the top.  Sorry but I'm really needing help with the port range forwarding and inter-vlan access permissions.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Griff...J

‎08-19-2013 09:30 AM

Hi,

There is no way to configure several Static PAT (Port Forward) with one or only a few "nat" commands.

Each forwarded port with Static PAT will require its own NAT configuration.

Only exception is a situation where you have a continuous range of ports which usually IS NOT the case.

Naturally the simplest configuration can be achieved by using Static NAT but that naturally requires you to have extra public IP addresses for the server.

To allow certain traffic to your internal (NATed) hosts you can naturally group services under certain "object-group" to configure less actual ACL lines/rules on your firewall.

To allow the DNS traffic from GUEST to INSIDE you need to apply an ACL to the GUEST interface and allow this DNS traffic. If you don't want to allow any other traffic from GUEST to INSIDE then you will next have to block all traffic from GUEST to INSIDE. Finally you will have to allow all other traffic to allow Internet connectivity.

As a very simple example

access-list GUESTNET-IN remark Allow GUEST to INSIDE DNS

access-list GUESTNET-IN permit udp 172.21.15.0 255.255.255.0 host 172.21.37.16

access-list GUESTNET-IN permit udp 172.21.15.0 255.255.255.0 host 172.21.37.11

access-list GUESTNET-IN remark Deny All Other GUEST to INSIDE Traffic

access-list GUESTNET-IN deny ip any 172.21.36.0 255.255.252.0

access-list GUESTNET-IN remark Allow All Other Traffic for GUEST

access-list GUESTNET-IN permit ip 172.21.15.0 255.255.255.0 any

access-group GUESTNET-IN in interface guestnet

Do notice that the above ACL only takes into account limiting traffic to INSIDE (except for the DNS traffic) but allows traffic towards any other interface of the ASA.

Since we are talking about the newer software levels (related to NAT operation) that means you wont need any additional NAT configurations between the GUEST and INSIDE. They should be able to communicate between eachother wihtout any additional NAT configurations.

- Jouni

0 Helpful

Go to solution
Griff...J
Level 1
Level 1
In response to Jouni Forss

‎08-19-2013 09:47 AM

Thank you for the response! 

Yes I'm understanding that ACL for guest network to DNS, that certainly makes sense.  Will the fact that the guestnet has a lower security level than the inside interfere with anything?  having the lower security means that by its nature it does not have access to a higher security level VLAN.  So is the DENY ACL needed?  And the guestnet already has access to the internet as outside interface is a lower security level (guestnet DHCP is currently set to use google's DNS).  But I need internal DNS for our own internal domain name use. Currently no one on guestnet can access any of our internal web offerings.

Do I need to bring the guestnet up to same security level for this to work?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Griff...J

‎08-19-2013 09:56 AM

Hi,

The "security-level" configuration really has impact only when you have NO ACLs configured on the interfaces. As soon as we attach an ACL to an ASA interface the "security-level" value will for the most part loose its original effect.

So as soon as we attach the ACL above to the "guestnet" interface THEN the ACL will be the one controlling the traffic. The "security-level" will no more have any effect on the traffic between different interfaces. This is why its important that we in the above ACL first allowed the DNS traffic and then blocked ALL traffic to the INSIDE.

If we were to only configure the rules to allow DNS and then allowed traffic with "any" destination IP address THEN we would essentially be allow ALL traffic to the INSIDE network too. So now that we have a "deny" statement inbetween blocking rest of the traffic to INSIDE we keep the operation the same (except for the DNS ofcourse) as before we inserted the ACL in place.

If we were to presume that each interface had an ACL configured (which I use) then there are only a couple of special situations where "security-level" might play a role.

  • If you have 2 interfaces with equal "security-level" and want to allow traffic between them AND DONT want to change the "security-level" THEN you need the command "same-security-traffic permit inter-interface". Without this global command and ACLs configure the traffic wouldnt pass.
  • If you have traffic that enters an ASA interface and leaves through that same interface (VPN traffic hairpinning for example) you will need the command "same-security-traffic permit intra-interface" or the traffic simply wont be allowed

- Jouni

0 Helpful

Go to solution
Griff...J
Level 1
Level 1
In response to Jouni Forss

‎08-20-2013 06:54 AM

Hello,  I'd like to use objects for the guest network..   So I have these in the config.

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network guest_net

subnet 0.0.0.0 0.0.0.0

object network phone_sys

subnet 0.0.0.0 0.0.0.0

Originally I tried to set these subnet objects with the correct values but then the ASA just wouldn't function correctly.   And then when I added the subnets for the other VLANs I just ended up using all 0s as well because when I tried to set them to actual subnet's values nothing seemed to work. 

I'd kind of like to do this:

access-list guestnet_in extended permit udp object guest_net object dns_primary eq domain

but I don't want to start screwing up a live router during business hours heh.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Griff...J

‎08-20-2013 07:05 AM

Hi,

Well looking only at the things you mention in your latest reply this would work in a different way than what was suggested before.

You would be allowing all DNS traffic towards any destination IP address.

The objects you mention above look like the default format the ASA might use when configuring the device with ASDM.

If you wanted to minimize NAT configurations and configure Dynamic PAT for all local networks you could simply use this configuration

nat (any,outside) after-auto source dynamic any interface

After that you wouldnt need the following

object network obj_any

nat (inside,outside) dynamic interface

object network guest_net

nat (guestnet,outside) dynamic interface

object network phone_sys

nat (phonesys,outside) dynamic interface

Do notice that using the same objects for multiple purposes might end up causing more problems depending on the size of the network. You might find yourself changing a single setting and affecting a lot of things. This is why I personally prefer using own objects for ACL and NAT separately to avoid problems.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card