10-09-2012 05:56 AM - edited 03-11-2019 05:06 PM
Hi All,
Below is the set-up. we'r planning to implement the second firewall portion which will connect to the ASA on asa's lan interface.
internet == ASA == firewall 2 == LAN / Application servers
ASA interface configuration:-
inte e0/0 (outside) - connected to internet , 202.95.64.21
inte e0/1(inside) - connected to single server , 192.168.0.2 /24
inte e0/2(transit) - configured for connecting the second firewall , 192.168.1.11 /24
int e0/2 will connect to the second firewall. Second firewall will have ip 192.168.1.12 on its outside interface facing ASA.
Now, following are the requirements for server access:-
1. Outound - Server 10.58.82.10 connected in the LAN needs to access an internet destination 203.12.12.12 for an ftp service
But this destination 203.12.12.12 only recognises request from ip 202.95.64.27 ( which is an ip from our internet subnet )
2. Inbound - Destination 203.12.12.12 access to 10.58.82.12 for sql service on port 1510
3. Outbound - Server 10.58.82.21 connected in LAN needs to acces internet destination 203.11.11.11 for an http service
( there is no restriction on the public ip it uses for this need )
Queries:-
1. int e0/2 is only created as an interface to connect the asa to the second firewall. will this work fine?
2. we'll be using static statements ; static ( transit, outside ) 203.12.12.12 10.58.82.10 to get requirement 1 working. Is this correct?
3. for requirement 2, how should it be configured?
4. how should requirement 3 be configured?
ASA will have a route for lan 10.58.x.x network on the transit interface to 192.16.1.12 and second firewall will have default route to 192.168.1.11.
Will this work well for my requirement, Please suggest with inputs.
Thanks in advance.
Solved! Go to Solution.
10-09-2012 06:30 AM
1. Yes, that is not a problem. You can configure e0/2 as a transit interface to the second firewall.
2. For requirement one, yes, you are correct if the server also accesses other destination IP address with the same NATed address, but your static NAT statement has incorrect IP address
It should be:
static (transit,outside) 202.95.64.27 10.58.82.10 netmask 255.255.255.255
Or you can configure NAT/global pair as well if that server only requires outbound access, not both:
access-list nat1 permit ip host 10.58.82.10 host 203.12.12.12
nat (transit) 10 access-list nat1
global (outside) 10 202.95.64.27 255.255.255.255
3. For requirement two, what public IP address do you want to use for the NAT? You can either use a spare if you like:
static (transit,outside) 202.95.64.2x 10.58.82.12 netmask 255.255.255.255
Then you would need to have ACL configured on the outside interface to permit the traffic:
access-list
OR/ alternatively, you can also use the ASA outside interface IP:
static (transit,outside) tcp interface 1510 10.58.82.12 1510 netmask 255.255.255.255
And the ACL:
access-list
4. For requirement three, you can just use the existing global that you already have configured on the ASA and configure a generic NAT statement for the whole 10.58.82.0/24 subnet:
nat (transit)
OR/ if you want to be more specific then:
nat (transit)
Hope the above helps.
10-09-2012 06:30 AM
1. Yes, that is not a problem. You can configure e0/2 as a transit interface to the second firewall.
2. For requirement one, yes, you are correct if the server also accesses other destination IP address with the same NATed address, but your static NAT statement has incorrect IP address
It should be:
static (transit,outside) 202.95.64.27 10.58.82.10 netmask 255.255.255.255
Or you can configure NAT/global pair as well if that server only requires outbound access, not both:
access-list nat1 permit ip host 10.58.82.10 host 203.12.12.12
nat (transit) 10 access-list nat1
global (outside) 10 202.95.64.27 255.255.255.255
3. For requirement two, what public IP address do you want to use for the NAT? You can either use a spare if you like:
static (transit,outside) 202.95.64.2x 10.58.82.12 netmask 255.255.255.255
Then you would need to have ACL configured on the outside interface to permit the traffic:
access-list
OR/ alternatively, you can also use the ASA outside interface IP:
static (transit,outside) tcp interface 1510 10.58.82.12 1510 netmask 255.255.255.255
And the ACL:
access-list
4. For requirement three, you can just use the existing global that you already have configured on the ASA and configure a generic NAT statement for the whole 10.58.82.0/24 subnet:
nat (transit)
OR/ if you want to be more specific then:
nat (transit)
Hope the above helps.
10-09-2012 08:18 PM
Thank you. Do we need to configure any access list or anything for the transit interface, based on the requirements above for the flow.
Transit interface has security level 90 , outside has 1 and inside is 100 currently.
thanks in advance!
10-09-2012 09:47 PM
If you haven't configured any ACL on transit interface, then NO, you don't need any ACL.
But if you already have an existing ACL then yes, you would need to add ACL on transit interface for outbound access.
For requirement 1:
access-list
For requirement 3:
access-list
10-18-2012 07:02 PM
Thanks Jennifer.
We tested this traffic.
The http service outbound from 10.58.82.21 to 203.11.11.11 is accessible & fine
However, the outbound from 10.58.82.10 to 203.12.12.12 on FTP service is not working fine.
I can see the traffic reaching the ASA based on the topology. The flags show me as saA in the connection table.
Since, at destination 203.12.12.12, it will only recognise request coming from 202.95.64.27 , static configuration as below
was put : static (transit,outside) 202.95.64.27 10.58.82.10 netmask 255.255.255.255
even after this the traffic for 203.12.12.12 is not working via the ASA. the service on that destination is active, as we have verified
this without the asa.
Please help.Thanks.
10-19-2012 05:19 AM
saA flag means that it is waiting for SYN-ACK from the outside host (server).
You can run packet tracer to see if it's passing through the ASA fine. I would check with the end host to see if it is seeing the SYN packet, or if it's responding at all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide