Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1354
Views
5
Helpful
4
Replies

nat exempt and intervlan routing scenario in cisco ASA

Go to solution
sinyong.you
Level 1
Level 1

‎07-13-2015 01:32 AM - edited ‎03-11-2019 11:15 PM

Hi, I am new to Cisco ASA. I have done some study on Cisco ASA recently and try to understand how it works.

 

The network diagram above shows the network architecture in my company (attachment). Both FW (5520, version 8.0) are configured with nat control and same-security-traffic permit inter-interface. I would like to ping from Device A to Device B (10.10.105.244 > 10.10.70.70/24).

 

At FW 02, i added an inbound ACL (10.10.105.0/24 > 10.10.70.0/24) due to the difference of security level between ingress and egress interface (SL 50 < SL 100). For the return traffic (10.10.70.0/24 > 10.10.105.0/24), I only need to add a nat exempt rules as I have configured with same-security-traffic permit inter-interface. Is my understanding correct?

 

At FW 01, I need to add an inbound ACL (10.10.70.0/24 > 10.10.105.244). Without the rule, my ping will be unsuccessful. Can I know why I need to add this inbound rule since same-security-traffic permit inter-interface is configured at FW 01? Can I know why I do not need to nat exempt the traffic (10.10.105.0/24 > 10.10.70.0/24)?  

 

Sorry for lengthy explanation. I hope to get clarification and to ensure my understanding is correct.

 

Thanks all for the comment. Have a great day :) 

Labels:
Preview file
25 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Adeolu Owokade
Level 1
Level 1

‎07-13-2015 07:49 AM

Hi,

For your first question: "Can I know why I need to add this inbound rule since same-security-traffic permit inter-interface is configured at FW 01?"

It probably has to do with ICMP inspection. By default, ICMP traffic is not inspected by the ASA so the return traffic from Device B to Device A will be dropped at FW 01. One way is to enable ICMP inspection by adding it to the default MPF configuration on the ASA.

For your second question: "Can I know why I do not need to nat exempt the traffic (10.10.105.0/24 > 10.10.70.0/24)?"

NAT-control does not affect same security interfaces i.e. same security interfaces can communicate without NAT even if NAT-control is turned on (with some exceptions). Refer to this link for further information.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Adeolu Owokade
Level 1
Level 1

‎07-13-2015 07:49 AM

Hi,

For your first question: "Can I know why I need to add this inbound rule since same-security-traffic permit inter-interface is configured at FW 01?"

It probably has to do with ICMP inspection. By default, ICMP traffic is not inspected by the ASA so the return traffic from Device B to Device A will be dropped at FW 01. One way is to enable ICMP inspection by adding it to the default MPF configuration on the ASA.

For your second question: "Can I know why I do not need to nat exempt the traffic (10.10.105.0/24 > 10.10.70.0/24)?"

NAT-control does not affect same security interfaces i.e. same security interfaces can communicate without NAT even if NAT-control is turned on (with some exceptions). Refer to this link for further information.

0 Helpful

Go to solution
sinyong.you
Level 1
Level 1
In response to Adeolu Owokade

‎07-13-2015 07:49 PM

Hi Adeolu,

Thank you for helping to clarify. It helps a lot :) .

Anyway, for the 1st question, you mentioned the icmp inspection. If i am not mistaken, the icmp inspection is enabled in the form of policy-map and applied to the nameif interface using service-policy, am i correct ? Without the icmp inspection, we need to apply the inbound ACL to allow the icmp traffic. Is this what you suggest?  

I re-checked the configuration. I wonder does this config has anything to do with the 1st question. The inbound ACL is applied at the nameif UCS interface. 

icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.10.105.0 255.255.255.0 VPN
icmp deny any VPN
icmp permit any UCS

## nameif VPN interface = 10.10.105.254
## nameif UCS interface = 10.10.69.1

Thank you and have a great day.

 

Preview file
27 KB
0 Helpful

Go to solution
Adeolu Owokade
Level 1
Level 1
In response to sinyong.you

‎07-14-2015 02:31 AM

For your 1st clarification, yes you are right. However, rather than applying it per interface using the service-policy, you can just apply it on the default global policy that is configured on Cisco ASAs. You can find that default here. So if you want to add ICMP inspection to the default global policy, the following command will work:

policy-map global_policy
  class inspection_default
   inspect icmp

For the 2nd question, the "icmp [permit|deny]" applies to ICMP traffic terminating on the ASA itself e.g. pinging the ASA interface. For ICMP traffic through the ASA, we use normal ACLs. More information here.

Go to solution
sinyong.you
Level 1
Level 1
In response to Adeolu Owokade

‎07-14-2015 02:45 AM

Hi Adeolu,

Thanks a lot for helping to answer my question. 

Have a great day.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card