cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
291
Views
0
Helpful
15
Replies

Allowing Traffic through ASA without NAT

mcast999
Level 1
Level 1

Screenshot 2025-02-04 102246.pngHi!

I have around 20 local networks. Im posting a basic topology with only 4 networks. Each server represents a network.
Everything internally is working fine. Nothing will be going out to the internet. This is all within house. Now there is a
client that needs to access these networks. We only want to allow certain network "10.0.0.0" on the client side to access internal networks.
So we added a firewall between the client and our network. We as well will need to access networks on the client end.

Question is do I need NAT for this? And how do I configure the ASA to allow Outbound traffic into our networks?

1 Accepted Solution

Accepted Solutions

Hello @mcast999 

You'll need to create an ACL
#access-list OUTBOUND_ACL extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0 (you can edit subnet for your case)

Apply ACL to the ASA Interface
#access-group OUTBOUND_ACL in interface outside

Configure Routing
#route inside 192.168.0.0 255.255.0.0 <next-hop-IP> / You can edit IP's

Allow Traffic from Internal Networks to Client
#access-list INBOUND_ACL extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.255.0

#access-group INBOUND_ACL in interface inside

Thanks !

View solution in original post

15 Replies 15

@mcast999 no you don't need NAT assuming each network can route to each other (either statics or routing). If there are no other NAT rules on the ASA then you don't need to configure anything, traffic would just be routed. However if you do have other NAT rules, you may need to configure a NAT exemption rule, to ensure this traffic is not unintentially translated.

You would need to configure ACL inbound on the outside interface to communicates with the internal networks.

I put:

access-list OUT-IN extended permit ip 10.0.0.0 255.255.255.0 any

int g0/0 (outside int)

access-group OUT-IN in interface outside

Cannot ping. 

i am inspecting icmp

@mcast999 run packet-tracer and provide the output, example:-

"packet-tracer input outside tcp 10.0.0.10 3000 10.1.1.11 80"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.0.0.2 using egress ifc  inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: EXTERNAL
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

@mcast999 re-run the packet-tracer but append "detailed" at the end and provide the full output (including the command you run) - ensure you don't use an IP address of the ASA itself, it can be any IP.

packet-tracer input EXTERNAL tcp 100.1.1.1 30000 151.11.201.1 80 detail

100.1.1.1 is the external client router. 151.11.201.1 is any random IP. EXTERNAL is the nameif of the interface connected to the external client. I never used packet-tracer before so i apologize.


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fef8f6304b0, priority=1, domain=permit, deny=false
        hits=48, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=EXTERNAL, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.0.0.2 using egress ifc  inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fef8ec60ea0, priority=501, domain=permit, deny=true
        hits=2, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=100.1.1.1, mask=255.255.255.255, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=EXTERNAL, output_ifc=any

Result:
input-interface: EXTERNAL
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

@mcast999 this is different to what was described in your initial post.

Is this a production firewall that is already in use? Or a new implementation?

Please provide your configuration.

Rob thank you so much for your help. I got it working now. My access lists were wrong.

Hello @mcast999 

You'll need to create an ACL
#access-list OUTBOUND_ACL extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0 (you can edit subnet for your case)

Apply ACL to the ASA Interface
#access-group OUTBOUND_ACL in interface outside

Configure Routing
#route inside 192.168.0.0 255.255.0.0 <next-hop-IP> / You can edit IP's

Allow Traffic from Internal Networks to Client
#access-list INBOUND_ACL extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.255.0

#access-group INBOUND_ACL in interface inside

Thanks !

That worked like a charm! thank you!

so the amount of acl's id have to do is alot. I was thinking can i NAT the outside int from the ASA and allow only 10.0.0.0 to access my internal networks?

I did:

object network EXTERNAL

subnet 10.0.0.0 255.255.255.252

object network INSIDE

192.168.0.0 255.255.255.252

nat(EXTERNAL,INSIDE) source static EXTERNAL INSIDE

 

but not working

You're trying to translate an entire external subnet to an internal subnet, which doesn't make sense.

Try this one /

#object network EXTERNAL
subnet 10.0.0.0 255.255.255.252

#object network INSIDE
subnet 192.168.0.0 255.255.255.0

#nat (EXTERNAL,INSIDE) source static EXTERNAL EXTERNAL destination static INSIDE INSIDE

#access-list OUTSIDE_TO_INSIDE extended permit ip 10.0.0.0 255.255.255.252 192.168.0.0 255.255.255.0
#access-group OUTSIDE_TO_INSIDE in interface EXTERNAL

Thanks!

Try your config and didnt work. 

Im using a loopback interface from the external client trying to ping my inside networks. On wireshark the loopback address doesnt change to my inside address.

Review Cisco Networking for a $25 gift card