Cisco Firewall :: ASA 5505 - Static NAT And ACLs
May 25, 2011
Currently a customer has all theLAN devices using a router as the Default Gateway. The router also do the Dynamic NAT to the internet access and has NAT/PAT rules to publish some services like HTTP and FTP. As I know the router will permit all the incoming traffic in all its interfaces without restrictions at less there is an ACLs that restrict the incoming traffic on an specific interface.Now the customer has bought a brand new ASA and wants to use it as the default gateway for the entiery LAN. This means, the ASA will have the internet connection and will be the responsible for the NAT/PAT process.
I have configured the NAT/PAT rules already following the current router configuration, but I need to know if I have to configure ACLs allowing the incoming traffic on th Outside interface for the services I NATed.
View 1 Replies
ADVERTISEMENT
Aug 18, 2011
It is my understanding that ACLs can only be bound to logical interfaces using the access-group command. However, is it possible to somehow apply ACLs simply based on the ASA's local Ethernet interface? For instance, consider the following:
Device A with IP 192.168.1.1/24 is connected to Ethernet0/0 on the ASA. Device B with IP 192.168.1.2/24 is connected to Ethernet0/1 on the ASA.
Since both devices are in the same subnet and presumably the same VLAN, is it possible to manipulate the traffic to and from physical Ethernet interfaces using ACLs in this manner?
My predicament is fairly simple:
Internet --- ASA --- ROUTER
|
DMZ
In addition to NAT, VPN, and various other tricks, my ASA is also routing traffic from my internal LAN and the Internet to servers in the DMZ configured on the ASA. Due to a combination of Internet and DMZ traffic, my relatively slow ASA is struggling to route and thus becoming a bottleneck. My router is comparatively modest in terms of functionality when compared to the ASA but it is fast. My ideal solution would be to somehow harness the ASA's filtering capabilities for my DMZ but use the router to get traffic to and from my internal LAN into the DMZ without using the ASA to route it.
Additionally, it is worth noting that my DMZ is fairly restrictive so using protected or isolated ports would not quite work for me.
View 1 Replies
View Related
Sep 22, 2011
I implemented an ASA5505 on an access switch on a network with a single data vlan1. When I put the device online, none of my ACL's were being matched.
View 3 Replies
View Related
Aug 28, 2011
I have an ASA 5505, firmware 7.2 (4). Configured ACLs, NAT, it's all working, but after a while it seems that running crashes, no longer makes the directions of NATs, the logs until they stop working. To resolve, I have to restart the ASA, and everything will work again.
View 2 Replies
View Related
May 26, 2011
I just replaced a PIX 501 with a new ASA5505. I had a very weird problem and would like to know what caused it incase I run into it again. The setup is a DSL connection, with an old-ish speedstream DSL modem. Static IP, no PPPoE. I had a PIX 501, then two servers with static NAT entries on secondary WAN IPs. Everything was working fine on the PIX, I just duplicated the config over to the ASA. I swapped out the PIX for the ASA, and rebooted the DSL modem to clear out it's cache. After installation, NAT was working fine for the the global pool, but the systems with static NAT could not get online. I tried lots of different things to fix them, and they never worked. Finally I rememberd running into an issue like this a long time ago, in that the static NAT IP's wouldn't work without giving them a bump-start on the network. So I assigned the ASA each of my WAN IPs, one at a time, and tested them all. After that I went back to the original WAN IP, configured the static NATs, and they fired right up. why did my static NAT entries not work until I first assigned them to the ASA, then swapped back? I did reset the DSL modem when I swapped the firewalls, so I don't believe it was an ARP issue (unless it was an ARP issue at the far end?) I would like to know if there is something I can do differently with the devices or with the config to not have this issue again in the future.
View 5 Replies
View Related
Jan 12, 2012
I have a Cisco ASA5505 running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 . I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100, Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.
View 2 Replies
View Related
Jan 28, 2013
i have 2 internal server sitting in inside interface
inside network vlan 1 ip address 192.168.0.20, and 192.168.0.22
i going to map 192.168.0.20 to public ip routable address 203.117.124.180 and 192.168.0.22 to public ip routable address 203.117.124.181
the purpose is to make those 2 server 192.168.0.20, and .22 to be able to access remotely using public routable ip address,
however, after done the configuration i still not able to ping or access the public IP Address mention above. my both server are turn on and can access internally.both server are also able to access internet. See below partial configuration retrieve from Show Run.
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Antlab) 1 0.0.0.0 0.0.0.0
[Code].....
View 2 Replies
View Related
Aug 30, 2011
I have a 5505 for a small business that has one web server. The web server has a static NAT entry to an IP address and not an interface. There is an access rule allowing any HTTP traffic to the outside IP of the web server. From the web server I can't access the Internet.
All other computers on the network can access the Internet using a dynamic nat rule that uses the outside interface. The web server is accessible from a computer behind the firewall.
If I delete the static NAT entry for the web server I can get on the Internet.
I have turned debugging on and see that an outbound connection is built and then 30 seconds later the connection is torn down with the bytes 0 SYN Timeout message.
I am running 8.0(5).
View 3 Replies
View Related
Aug 31, 2012
I have an ASA 5505 behind my internet router. i have got only one public ip configured on the router outside interface.192.168.20.0/24 subnet is configured between ASA and router and inside network is 192.168.10.0/24 (Refer the attached diagram).
I have exposed my mail server and ftp server to public through static PAT in router and ASA with the same public on router outside interface. Iam facing issue some of the machines inside my network internet is not working(actually DNS is not resolving) some of the PC's internet is working fine some of the PC's randomly working. i have attached the diagram and ASA config , after this issue is sorted out i need to configure a L2L VPN to my head office.
View 8 Replies
View Related
Feb 5, 2012
I'm trying to configure a second server on my network but whenever I add the static NAT rule, the internet stops working on that computer.
Here's my Cisco ASA configuration:
ASA Version 7.2(3)
!
hostname domain
[Code].....
View 16 Replies
View Related
Feb 9, 2013
I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet. I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere. Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet.
View 2 Replies
View Related
Jun 3, 2013
I am mapping static ip address to the local ip address.We have a bsnl broadband connection, and bsnl has provided us with one static ip address.We are using broadband modem.Now I would liket to map this static ip address to one of the private ip address which is 192.168.1.2(database server).i want to do nat above ips if i do so then i dont have no ip to assign to my outside interface.I would like to access this device over internet, by typing my public (Static ip ) given by the BSNL.security device i have is cisco ASA 5505.
View 3 Replies
View Related
Jun 10, 2011
I am setting up a Cisco ASA 5505 first time for My organisation, I usually setup Cisco Router, I have 10 Static IP, & Have 6 Server (S-1, S-2, S-3, S-4, S-5, S-6), Traffic Should be pass through the ASA and is distributed to the destination server that is specified in the packet. LAN servers can be separated into discrete networks for security. For example, a private LAN for internal traffic accessed only via remote dial-in VPN sessions and Want to Configure DMZ for Server (S-4, S-5, S-6) that allows public web traffic.
I have Attached My Network Diagram I have some question,
1:- Can we Configure Multiple Static IP On ASA 5505 ?
2:- If Diagram is wrong what change need to be done ?
View 2 Replies
View Related
Feb 3, 2013
I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
The interface 0 is for the outside network The interface 6 is for the DMZ All other interfaces are for the inside network
My ISP provided me with one public static IP address, one gateway address and a subnet mask 255.255.255.252
1/ I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
2/ For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall,
View 4 Replies
View Related
Mar 22, 2012
I have created a simple static ip address by using this command:
interface Vlan1
nameif inside
security-level 100
[Code].....
But, no matter what, the I can't ping the static address or access the computer 10.2.1.2 from outside of the asa 5505. I have attempted to ping from inside of the asa 5505 or from another computer. I just does not work.
I also have created several rules that allows icmp traffic.
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit 10.2.1.0 255.255.255.0 inside
icmp permit any echo-reply outside
icmp permit any outside
View 1 Replies
View Related
Mar 20, 2012
I just upgraded my firewall to ASA 5505. Now, my original static ip address cofiguration is gone. Apperantly, Cisco went away from static ip address to something like nat (inside,outside) dynamic interface. how to create a static ip address under version 8.4? By the way, I am sharing what my configuration used to look before upgrading.
!
hostname cisco-asa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
[code].....
View 7 Replies
View Related
Feb 23, 2013
I was checking out the config on my ASA and noticed a bunch of static routes configured when I did a show route. With the exception of two that I expect to be there, the remainder point traffic destined for specific internal hosts to the outside interface, i.e.
S private_ip 255.255.255.255 [1/0] via public_ip, outside
I verified that I cannot ping those hosts from the firewall. I logged in to the ASDM. When I check the Configuration>Device Setup>Routing>Static Routes it only shows two static routes, the ones I expect to see. If I look under Monitoring>Routing>Routes, I see the same output as I did on the CLI. I looked around to see if I was missing a key location for this information, and I was able to see the same static routes output in Monitoring>Routing>Routes. Since this is under monitoring though there's no way to delete these routes, and I still don't know where they were configured originally. Then I happened to check under Monitoring>VPN>VPN Statistics>Sessions, and I see several of the private IPs used in the static routes being used by VPN users, including my own! I know I didn't assign myself a static IP for VPN use or anything like that. So, what are these static IP routes? Why do I see them in the CLI and not under the Configuration tab? I mean, I know I can delete them from the CLI but I'm trying to figure out why the info is not synced. Am I seeing dynamically created content based on the VPN connections?
View 2 Replies
View Related
Mar 17, 2012
working config with least amount of code for:
IOS post 8.3
Subnet: 192.168.1.0 /24
Static NAT (from any source) to server 192.168.1.100 and allow the same incoming connections on outside interface
Ports:
TCP 20,21
TCP 80
UDP 50000-50020
View 1 Replies
View Related
Sep 20, 2012
I have been using static NAT to map between a single server behind an ASA 5505 and a single public IP address. In other words, I've been doing this:
object network NAT_ME
nat (inside,outside) static interface
Now I would like to start using the clientless VPN feature of the ASA, so I of course don't want that particular port forwarded to the server. Is there a way to define such an exclusion? I've tried several things, including setting up a separate NAT rule to direct that port back to the ASA's interface, without luck.
If that is not possible, what configuration would I need to move to in order to get the behavior that I want? It is important that all (non-VPN) traffic is passed exactly as it arrives at the firewall (whether it is coming from internal or external), with the exception of changing the IP address (i.e., I need static port mappings for some of my services).
View 5 Replies
View Related
Jan 23, 2013
I'm almost afraid to post since my stuff is so OLD! I have a 350 Series PCI Wireless LAN Adapter in my old WinXP, not wireless-ready Compaq.I live off the grid, no landlines and have been using a Franklin CDU680 USB air card to connect to the Internet. The air card doesn't like my Compaq - occasionally crashes it. I thought to put the air card in a router to solve the problem and communicate with the router using the Cisco 350. Bought a Cradle Point router from my ISP and plugged in the Franklin. Then spent the next 5 days trying to get the Cisco 350 to associate with the router.I now have a profile with the router's SSID in it that according to the ACU's status report is associated with that SSID. Problem is that there is no Internet connection.
View 4 Replies
View Related
Aug 30, 2012
In the near future I plan on updating all of my firewalls to 8.4, currently we're on a mix of 8.0 and 8.2. I've heard that if your equipment is on 8.2 there's an auto-conversion feature when upgrading to 8.3. However, I do not want to rely on that and am trying my hand at re-writing the NAT and ACLs myself. Attached is my pre 8.3 ASA 5510 config (santized) and a document that shows the particular sections pre 8.3 and what I think they should be after the upgrade.
View 1 Replies
View Related
Feb 27, 2013
I'm having a bit of trouble determining the best way to do this... I have 12 V LAN's set up (sub interfaces on a redundant group of two NICs) on my ASA 5510. On several of these, I want them to be able to access the internet but not access other V LAN's.
By default, they have a rule like "any to any less secure", and since the outside interface has a lower security level, this works great. But if I create an ACL on the interface, this rule disappears. I can restore internet access by adding an "any to any" or "(this interface's sub net) to any" rule, but this seems to imply that it allows access to any v LAN. Do I have to create a set of "deny" rules for each V LAN, on each V LAN, followed by an any-any rule to allow internet access, or is there a cleaner approach?
View 2 Replies
View Related
Dec 27, 2011
In my lab setup i configured Cisco 3560 switch.
VLAN 20 and VLAN 30 i configured.
VLAN 20 interface IP : 192.168.20.1/24
VLAN 30 interface IP : 192.168.30.1/24.
Inter-vlan communication is happening fine.
For testing for purpose i configured extended ACLs. Here is my requirement: I want to stop communication from VLAN 30 to VLAN 20 but not vice-versa.
Here i configured like this:
access-list 111 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 111 permit ip any any
applied ACL in VLAN 30 interface 'in' direction.
ip access-group 111 in
In this scenario, communication is stopping in both directions. If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.
From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement). So, solution needed to communicate from VLAN 20 to VLAN 30.
View 1 Replies
View Related
Aug 15, 2012
I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
View 12 Replies
View Related
Jan 15, 2013
A CISCO 3750-X stack with several VLANs and many ACLs applied to the virtual interfaces. Intervlan routing is on. Connected to this stack are VMware hosts and with about 500 VMs.We started using the ACLs to allow connectivity between VLANs to specific hosts and it has grown to thousands of lines. I personally do not think this is good for the switch and believe the switch was not intended to be used for that security feature.
- Does it make it sense to add an "internal firewall" between the CORE ROUTER AND THE 3750-X SWITCH STACK ?
- Do you recommend any other way?
- Any recommended CISCO resource/white paper to read about best practice
View 4 Replies
View Related
Sep 25, 2011
I want to restrict outgoing traffic. Currently the deafault any, any IP allows all traffic from the inside to the outside.
So I created some rules to only allow HTTP and HTTPS. First I configured a rule to allow all DNS (TCP 53) traffic out. Then I added a rules to allow HTTP (TCP 80) and secure HTTP (TCP 443) out.
When I apply and try to surf out to the internet from a box on the inside network I cannot. Remove the rules which returns the default any, any IP and traffic flows.
Packet tracer shows that the traffic should flow. And I have had minor traffic flowing but slow.
how to only allow web surfing from the inside to outside using the ASDM (5.1) to configure? I realize this is probably a very simple thing, but I only configure the ASA about once every year!
View 3 Replies
View Related
Aug 23, 2011
I have found this in documentation (the same statement for version 8.3 and 8.4):
" Access Control Implicit Deny #All access lists (except Extended access lists) have an implicit deny statement at the end, so unless you explicitly permit traffic to pass, it will be denied. For example, if you want to allow all users to access a network through the ASA except for one or more particular addresses, then you need to deny those particular addresses and then permit all others. "
Does it mean that now all ACLs shoud have created manualy deny ip any any rule at the end ? I have migrated one ASA to version 8.3 (no host connected and I can't test it) but after migration I don't see this rule at the end of all ACLs. Does it mean that all traffic will go throu ACLs on all interfaces ? I didn't find any information about this change in documents describing new software features [URL]
View 5 Replies
View Related
Jan 2, 2013
I've having a problem with our company ASA5505 router.
We recently moved to a new adress, so everything had to be set up again. I have a static IP, submask and gateway from our new ISP. The router have been factory reset before moving. We have betweeen 10-20 employees on our LAN in the office. In an attempt to make things easier I have changed the internal IP (and IP range) to 10.0.200.1 with a range from 10.0.200.5 - 10.0.200.100 as our NAS/printer/plotter have IPs within this range.
I can ping machines on the internal IPs and in ASDM the Outside interface is show as "up" with a green arrow. But there still isn't any internet connection. The only thing I haven't tried (because people need the current network to be online) is changing "route inside 0.0.0.0 0.0.0.0 62.242.X.X 1" to "route outside 0.0.0.0 0.0.0.0 62.242.X.X 1"
I have recieved a primary and secondary DNS adress as well, but I'm in doubt as to were I'm supposed to enter these (Using ASDM Version 6.3). I would like everything "Behind" the router to be run by DHCP.
Here is the running config:
ASA Version 8.2(2)
!
hostname ciscoasa
[Code].....
View 4 Replies
View Related
Aug 22, 2011
Trying to connect a 5505 with a dynamic address on 8.3(2) to a static IP'd asa (5510 on 8.2(1) with a DefaultL2LGroup and dynamic maps already created.
Inside networks:
Local (5505) 192.168.100.0 /24
Remote (5510) 10.100.1.0 /24
Configuration on 5505
isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 3600 isakmp enable outside access-list 100 extended permit ip 192.168.100.0 255.255.255.0 10.100.1.0 255.255.255.0nat (inside,any) 0 access-list 100tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key *****crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map cisco 1 set transform-set myset crypto map dyn-map 20 ipsec-isakmp dynamic cisco crypto map dyn-map interface outside
View 1 Replies
View Related
Jan 13, 2013
We have a customer, who has the following setup:
ISP router with ip range: x.x.202.1/ 28
That is connected to a Cisco 2960 switch, that doesn't do much but:
Vlan5: x.x.202.14 /28
Port 1-12 is switchport mode access to vlan 5 There are 3 firewall's connected to the 2960
1: D-Link DSR-1000N with ip x.x.202.2 /28
gw: x.x.202.1
2: Uknown
3: Cisco ASA 5505 with ip: x.x202.7 /28
static route: x.x.202.1
Each FW have a LAN behind it. The D-Link and the unknown device are both working perfectly and clients on each subnet can connect to the internet?However when I connect the ASA 5505 to the 2960 SW with a configued static route: Route Outside 0.0.0.0 0.0.0.0 x.x.202.1 1 is says it has no route to host?
Sanitized Config for the ASA 5505 is:
hostname ciscoasa
domain-name network.local
names
!
interface Ethernet0/0
switchport access vlan 2
[code]....
If I connect the ASA5505 to the LAN of D-Link DSR-1000N and give it a static address and a static route match the D-Link LAN network, it works perfectly, however not when I connect it the the Cisco 2960 Switch
View 2 Replies
View Related
Nov 1, 2011
I have an ASA 5505 with a dynamic IP address from the ISP.What I need to accomplish is the following:
- Either setup that ASA (Dynamic IP)VPN with an IOS router (Static IP)
- Or setup that ASA (Dynamic IP) with another ASA (Static IP)
View 8 Replies
View Related
Apr 17, 2011
I'm having some issues configuring NAT statements on my ASA5505 which has recently been upgraded to 8.41.
I have a single dynamic IP on the outside interface of the ASA and would like all internal hosts to NAT/PAT to it. In addition, I would like to have several ports 'forwarded' to internal hosts, one of which is TCP/4343. With the current configuration all hosts are NATing to the external interface properly but the service running on TCP/4343 is not accessible from the outside. See command output below:
"sh run object" output:
object network DrJones host 10.81.220.90object network LAN-10.81.220.0 subnet 10.81.220.0 255.255.255.0
"sh run nat" output:
object network DrJones nat (inside,outside) static interface service tcp 4343 4343object network LAN-10.81.220.0 nat (inside,outside) dynamic interface
"sh run access-list" output:
access-list inside_access_in extended permit ip 10.81.220.0 255.255.255.0 anyaccess-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit tcp any interface outside eq 4343
View 6 Replies
View Related
Jul 30, 2012
We have two sites: 192.168.100.x and 192.168.101.x currently connected via IPsec VPN. On each end we have a Cisco ASA 5505. However, each site also has an MPLS VPN with intentions to move all traffic to this link. Will this work on the ASA? We need to make sure traffic can hit the ASA @ site A on the inside interface and trafiic will forward to the MPLS VPN router which then handles the traffic. Too, will it cause any problems in bi-directional flow between the two sites?
View 3 Replies
View Related
