cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1895
Views
20
Helpful
18
Replies

ASA access rule relative to port forwarding

Dr.X
Level 2
Level 2

hi all ,

just simple question

assume i have    inside==ASA====outside========intnet

assume outside public ip is x.x.x.x

asusme i made a portforward on outside interface ,

assume my lan is 10.10.10.0/24

assume to reach my server 10.10.10.2 i need to go x.x.x.x:5050

the question is about the access rule that need to be allow the outside traffic that comes inside .

why i need to allow destination to ip 10.10.10.2 in the access rule ???

shouldnt we allow the access to x.x.x.x:5050 ip ???

question agian ,

why we need access rule that allow traffic that enter form outside to inside , and dont need rule to allow traffic enter outside  ip itself ?

regards

1 Accepted Solution

Accepted Solutions

Access to the ASA is filtered by different mechanisms such as:

the http command, SSH command,. Telnet command, icmp command.

No need for an ACL as traffic will reach the outside interface, but before getting to the ASA procesor will get dropped.

Again U are talking about traffic TO the firewall not Through the firewall as the packets are not going to the inside. Are done on the outside interface.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

18 Replies 18

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Well thing is that after 8.3 the way the ASA Processes packets is different.

NAT is checked before than the ACL for inbound packets.

So packet gets unt-translated first and then the ASA check the ACL.

Before 8.3 was backwards NAT first and ACL then.

Clear enough?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

well ,

you gave me 90 % of answer

but stilll 10 %

you said that nat 1st , then the acl verification ,

now i  understand it ,

but ,

wt about the trafic going just to outside interface ??

wt about traffic that ping outside interface ??

why it succeed ???

i tested it and no acl that allow traffic to outside interface itself , i find it allowing ???!!!!!!!!

i must be something not need to be uinderstood

how that happend ?

From In to Out.

Well, traffic from in to out goes from higher to lower so no need for ACL.

wt about traffic that ping outside interface ??

Traffic generated from the ASA not filtered by ACL.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hi ,

i mean that i can ping the interface ip of the outside from the internet

not making ping from the asa itself

regards

Hello,

Well that traffic does not go through the firewall so those statements are say are not taken into consideration.

Access to the ASA is enabled by default for ICMP.

You can disable it with an ACL or with the global ICMP command.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

why ?

why that traffic  dont go throuh acl firewall ??

its entering the outside interface ?!!!!!!!!!!!!!!!!!!!!

Hello,

Please be a little more clear with the traffic in place.

Where is being Innitiated and where is going?

Try to use a diagram cause I was think on my last message about traffic from an internet user destined to the Outside interface IP address.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

====INSIIDE-------ASA---------OUTSIDE-=====

assume i enalbed http and https on outside interface

why i can access the https web page of asa without acl allowing for traffic entering  outside interface ??????

why ping intering outside interface  allowed ???

outside is with security level 0 , why we can acces it  ??

my question here is clear , im not talking about traffic from out to in ,

im talking about traffic  from out and just going to outside interface itself

regards

Access to the ASA is filtered by different mechanisms such as:

the http command, SSH command,. Telnet command, icmp command.

No need for an ACL as traffic will reach the outside interface, but before getting to the ASA procesor will get dropped.

Again U are talking about traffic TO the firewall not Through the firewall as the packets are not going to the inside. Are done on the outside interface.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

so ,

in summary

by default ,

the asa will allow access to any interface as that traffic going to interface itself ( not from zone to another)

this rule is not macthed ny implicet deny in the asa.

agian , here im talking about the default behaviuor.

so

it will not run through the  firewall  , but we can deny that by adding acl to interface .

thats why the firewall interface of asa we can access it from outside and can ping it

plz correct if there is wrong

Well just ICMP.and denying via ACL is not possible( use icmp deny any outside)

Any other traffic is blocked!

You cannot SSH to the ASA if the firewall is not configured for it.

If you are looking for ASA Training contact me at jcarvaja@laguiadelnetworking.com


Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hi .

icmp is fine , cause i assumed it as a new router , the new router when i ping it , it reply , but the new router need to be confiogured so that support http , telnet ssh,

did u mean that ??

or

rather than above u need to play with access rule and make acl on the outside that allow traffic from internet to outside internet that request (telmet ot http ot ssh ) ?

""You cannot SSH to the ASA if the firewall is not configured for it."""

you mean that i need to edit access rules for  asa access asdm ??

What do you mean the new router?

For SSH.TELNET,HTTPS access you need to configure the access via the commands

http server enable

http 0 0 inside

ssh 0 0 inside

telnet 0 0 inside

Those as examples

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

yes,

i agree with you

but i dont need an  access list to allow traffic entering the public ip for telnet ssh ...etc

that wt i mean

regards