Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
2
Replies

Tricky ACL issue

Leon Khanan
Level 1
Level 1

‎02-27-2012 01:54 PM - edited ‎03-11-2019 03:35 PM

Hi Guys,

facing an issue here and need some expert knowhow....

I have several interfaces on my ASA  that is also connected with S2S  to the HQ office...

i have 3 /24 subnets heavily subneted inbetween interfaces and have a collapsed core as well so anything other than playing with ACLs is out of the question.

so  subnet in question  attached to one of ASAs interfaces (nameif:public_NAT) and has  a 10.y.x.z/29  address  (private)  i have 3 servers on it.  I use static 1-1 NAT  to each server from the  external range that i have with my ISP (cant route it in as ISP is being ...@#$@D#F).

now the requirement i have is to allow  access to all 3 servers but only by using their external globally routed NATs. and block any access to their private IP addresses.

question is:  can i use  an "outbound" ACL  on the  public_NAT  interface  saying - deny ip  any  to private ip addresses of the servers inside that subnet.

and then allow  on other interfaces to the external IPs residing on the WAN interface of the firewall ?

also  with S2S if that  subnet is a part of larger encryption domain  is my only choice will be to remove that /29 subnet from the encr. domain ACL ?

Labels:
0 Helpful
2 Replies 2

svaish
Level 1
Level 1

‎03-07-2012 12:26 AM

As I understannd

Server---------ASA-------------Internet-------------------user

If you have NAT-control enabled on the ASA it needs a NAT configured for the inside server to be accessible from outside.

if the private ip is 1.1.1.1 and public ip is 10.10.10.10 and you have the following configuration

statis (inside,outside) 10.10.10.10 1.1.1.1 netmask 255.255.255.255

access-list outside permit ip any host 10.10.10.10

access-group outside in interface outside

With the above configuration users can access the server only on the public ip address on outside and will not be able to access the private ip address at all. This is the default behavior of the ASA.

You do not need any other outbound ACL on the outside interface

Sachin

0 Helpful

Leon Khanan
Level 1
Level 1
In response to svaish

‎03-07-2012 07:32 AM

hmm i thought on new ASAs above 8.3 NAT comes first... and if so then the ACL on the outside wont see the external IP...

also how will that make my LAN users use the external IP addresses and not just intervlan ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card