Solved: Re: New on ASA

joe.marcelo9 · ‎10-21-2009

Hello, New to ASA

trying to understand how to allow traffic for specific host from LAN to outside.

My needs

* Desktop 192.168.3.80 which needs tcp port 999 to download internation newspaper using secured application.

* Desktop 192.168.3.88 which gets stocks update,I donno what ports it needs? how&What to allow.

* Finance Desktop 192.168.5.7 traffic to send outside on port 6919 to get bank updates using customized application.

My ASA is production, so scared to fiddle with it:-)

My ASA Configuration

hostname JT-ASA

domain-name JTI.com

interface Ethernet0

description ISP

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 195.73.42.10 255.255.255.224

interface Ethernet1

description LAN

speed 100

duplex full

nameif INSIDE

security-level 100

ip address 192.168.1.100 255.255.255.0

access-list ACL_OUT2IN extended permit tcp any host 195.73.42.15 eq smtp

access-list ACL_OUT2IN extended permit tcp any host 195.73.42.16 eq https

access-list ACL_IN2OUT extended permit tcp any host 192.168.2.25 eq smtp

access-list ACL_IN2OUT extended permit tcp any host 192.168.2.26 eq https

global (OUTSIDE) 2 interface

nat (INSIDE) 2 192.168.2.5 255.255.255.255

static (INSIDE,OUTSIDE) 195.73.42.15 192.168.2.25 netmask 255.255.255.255

static (INSIDE,OUTSIDE) 195.73.42.16 192.168.2.26 netmask 255.255.255.255

access-group ACL_OUT2IN in interface OUTSIDE

access-group ACL_IN2OUT in interface INSIDE

Router ospf 2

network 192.168.1.0 255.255.255.0 area 0

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

Jon Marshall · ‎10-21-2009

Joe

Logging matches just means you can log what has been allowed anytime the rule within the acl has been matched. See the ASA config guide if you need to setup logging.

"If I do NAT and dont allow on inside ACL it will not send traffic outside, do you ment this."

Exactly. But you could just as easily setup your NAT as

nat (inside) 1 192.168.3.80 255.255.255.255

nat (inside) 1 192.168.3.88 255.255.255.255

nat (inside) 1 192.168.5.7 255.255.255.255

global (outside) 1 outside

"What is different between Static-NAT and NAT statment you added, I am totally confused on this????? "

Yes NAT can be confusing on Cisco devices. There is a lot to know but put simply

static NAT is used when the connection can come from either way eg.

static (inside,outside) 195.17.17.1 10.10.10.1 netmask 255.255.255.255

means

1) that when the inside host with an IP of 10.10.10.1 sends out traffic to the outside of the ASA the source address is translated from 10.10.10.1 ro 195.17.17.1

and it also means

2) that when a device on the outside sends traffic to the address of 195.17.17.1 this address is then changed to 10.10.10.1 and sent to the inside host

With a static command the connection can be initiated from either the inside host to outside or from the outside to the inside host.

With the NAT commands i supplied if the internal devices connect to devices on the Internet then they will be translated to the outside IP address of the ASA.

BUT - if the connection is initiated from the Internet it won't work because the ASA does not know which inside address to translate to.

Note that it is all to do with which side initiated the connection. If the inside device initiates a connection to the outside using the NAT commands i supplied then a NAT entry is built on the firewall so the return traffic will get back to the right client.

In simpler terms - statics are used when you need to allow access both ways, access in terms of who initiates the connections.

Dynamic NAT is good for inside to outside connections or more specifically one way initiation.

It is a bit more complex than this and there are still some exceptions to what i have written but that is an overall general rule.

Jon

View solution in original post

Jon Marshall · ‎10-21-2009

Joe

You will need to add lines to the ACLIN2OUT which is applied to your inside interface ie.

access-list ACL_IN2OUT extended permit tcp host 192.168.3.80 host eq 999

access-list ACL_IN2OUT extended permit tcp host 192.168.5.7 host eq 6919

As for the one you don't know the ports on -

access-list ACL_IN2OUT extended permit ip host 192.168.3.88 host

that is very open but you could temporarily log the matches for that line and work out what ports are being used.

You will also have to NAT the internal IP's as they go out to the Internet ie.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

that will NAT all inside addresses to the IP address on your outside interface. If you want to you can lock down the NAT to only the 3 internal hosts but remember that you are limiting what is allowed outbound with your inside acl anyway.

Jon

joe.marcelo9 · ‎10-21-2009

Jon thank you very much

But Its unclear "How to log matches" what does that mean.

If I do NAT and dont allow on inside ACL it will not send traffic outside, do you ment this.

What is different between Static-NAT and NAT statment you added, I am totally confused on this?????

Jon Marshall · ‎10-21-2009