02-27-2012 01:54 PM - edited 03-11-2019 03:35 PM
Hi Guys,
facing an issue here and need some expert knowhow....
I have several interfaces on my ASA that is also connected with S2S to the HQ office...
i have 3 /24 subnets heavily subneted inbetween interfaces and have a collapsed core as well so anything other than playing with ACLs is out of the question.
so subnet in question attached to one of ASAs interfaces (nameif:public_NAT) and has a 10.y.x.z/29 address (private) i have 3 servers on it. I use static 1-1 NAT to each server from the external range that i have with my ISP (cant route it in as ISP is being ...@#$@D#F).
now the requirement i have is to allow access to all 3 servers but only by using their external globally routed NATs. and block any access to their private IP addresses.
question is: can i use an "outbound" ACL on the public_NAT interface saying - deny ip any to private ip addresses of the servers inside that subnet.
and then allow on other interfaces to the external IPs residing on the WAN interface of the firewall ?
also with S2S if that subnet is a part of larger encryption domain is my only choice will be to remove that /29 subnet from the encr. domain ACL ?
03-07-2012 12:26 AM
As I understannd
Server---------ASA-------------Internet-------------------user
If you have NAT-control enabled on the ASA it needs a NAT configured for the inside server to be accessible from outside.
if the private ip is 1.1.1.1 and public ip is 10.10.10.10 and you have the following configuration
statis (inside,outside) 10.10.10.10 1.1.1.1 netmask 255.255.255.255
access-list outside permit ip any host 10.10.10.10
access-group outside in interface outside
With the above configuration users can access the server only on the public ip address on outside and will not be able to access the private ip address at all. This is the default behavior of the ASA.
You do not need any other outbound ACL on the outside interface
Sachin
03-07-2012 07:32 AM
hmm i thought on new ASAs above 8.3 NAT comes first... and if so then the ACL on the outside wont see the external IP...
also how will that make my LAN users use the external IP addresses and not just intervlan ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide