7/28/2019 Cisco ASA Commands for...l, and ACLs movement3
1/4
movement3
cat thoughts > /dev/null
Home
About
Type ex o search here...
Home>Networking> Cisco ASA Commands for NAT, Static,
Global, and ACLs
Cisco ASA Commands for NAT, Static, Global, and ACLs
March 31, 2011 movement3
Cisco ASA security levels:
0 is the Internet
50 is the DMZ
100 is the Inside
Traffic fromhigher level is allowed to flow to lowersecurity
levels. Traffic fromlower to higher is not allowed.
NAT (inside) 1 192.168.1.0 255.255.255.0.Global (outside) 1
2.2.2.2 orglobal (outside) 1 interface
The 1 is the NAT ID, it will be associated with the global
ID.
The 0 NAT ID is used to prevent a group ofaddresses frombeing
translated.
Example 1
Creating an Internet Only DMZ and needing to access a IP address
on the DMZ to the inside. This might be handy ifyou have an
Internet only guest VLAN
but allow your visitors to connect to printers on your Internal
network.
Step 1
To allow the DMZ to contact the inside, you will need to
configure an ACL.
access-list DMZ11 extended permit tcp host 10.3.0.20 10.115.2.0
255.255.255.0access-list DMZ11 extended permit tcp host 10.3.0.20
10.4.144.0 255.255.255.0
access-list DMZ11 extended permit tcp host 10.3.0.20 10.0.104.0
255.255.255.0
access-list DMZ11 extended deny ip 10.3.0.0 255.255.255.0
10.0.0.0 255.255.255.0
access-list DMZ11 extended permit ip 10.3.0.0 255.255.255.0
any
access-group DMZ11 in interface DMZ11
The above ACL will allow 10.3.0.20 to reach certain subnets on
the 10.0.0.0/8 subnet. It will deny 10.3.0.0/24 any other access to
the 10.0.0.0/8 subnet. Then
it will allow 10.3.0.0/24 to access any other IP address (out to
the Internet).
Step 2
In additional to the ACL, you need to create a NAT statement so
10.0.0.0/8 will not get translated when it tries to access
10.3.0.20.
access-list nonatdmz extended permit ip 10.3.0.0 255.255.255.0
10.0.0.0 255.0.0.0
nat (DMZ11) 0 access-list nonatdmz
This ACL with the included NAT statement will prevent
translation on 10.0.0.0/8 to 10.3.0.0/24. The the DMZ11 ACL is used
in tandemto permit or deny
access. With the NAT statement, pings fromthe DMZ will not reach
10.0.0.0/8 even ifthe ACL is allowing access. To allow DMZ to ping
10.0.0.0/8, you will
need a static statement.
Static (inside, dmz) 10.3.0.0 10.3.0.0 netmask 255.255.255.0
Static commands are used fortraffic flows fromlower to
higher
Outside > DMZ > Inside
NAT commands are used for traffic flows from higher to lower
Inside > DMZ > Outside
Example 2
Allowing a web server on the DMZ access to the Internet and
certain servers on the inside
Step 1
Create the ACL allowing the DMZ host access to the inside
7/28/2019 Cisco ASA Commands for...l, and ACLs movement3
2/4
access-list DMZ extended permit tcp host 10.3.0.20 host
10.0.44.232 eq www
access-list DMZ extended permit tcp host 10.3.0.20 host
10.0.44.233 eq www
access-group DMZ in interface DMZ
Step 2
Allowing the Internet access to the DMZ web server
access-list enter extended permit tcp any host 1.1.1.1 eq
www
access-group enter in interface outside
Step 3
Creating the Static command fortraffic flow fromlower to
higher
Outside > DMZ
static (DMZ,outside) 1.1.1.1 10.3.0.20 netmask
255.255.255.255
Ifyou notice the last two lines in the DMZ11 ACL, there is a
deny statement, thenpermit statement. This is needed due the
implicit deny statement. The other
guest machines are on the DMZ and need access to the Internet.
This DMZ segment is different than an Internet Only DMZ, where only
a few known servers
live on this DMZ. The static statement allows the server access
to the outside interface.
Step 4
Creating the NAT command for traffic flow from higher to lower
(aka do not NAT this traffic)
access-list nonat extended permit ip 10.0.44.0 255.255.255.0
10.0.44.0 255.255.255.0
nat (inside) 0 access-list nonat
Updated: 06/22/2011
Here is an example where our MPLS router was down and I needed
to gain SSH access. I opened a NAT translation fromthe ASA to the
MPLS router and
removed it as soon I finished entering my commands.
access-list outside extended permit ip any host 1.1.1.2
static (inside,outside) 1.1.1.2 10.44.4.1 netmask
255.255.255.255
access-group outside in interface outside
To allow only SSH, try the ACL below, I did not test it though,
but should work.
access-list outside extended permit tcp any host 1.1.1.2 eq
ssh
To remove access
no access-list outside extended permit ip any host 1.1.1.2
no static (inside,outside) 1.1.1.2 10.44.4.1 netmask
255.255.255.255
no access-group outside in interface outside
http://www.streetdirectory.com/travel_guide/115482/security/eight_base_commands_of_cisco_asa_security_appliance.html
http://www.alfredtong.com/cisco/security-cisco/demystifying-asapix-nat-0-vs-static/
Google search: Traffic between DMZ and Internal on Cisco ASA
5520 (Experts Exchange link)
Google search: Cisco ASA-5505 DMZ to Inside Network access and
Outside to DMZ access (Experts Exchange link)
Be the first to like this.
Categories:Networking
Basic BGP configConfigure Wireless with SSL certs and Windows
auth
RSS feed
Recent Posts
Configuring MAC address filtering with WLC via Cisco ACS 4.2
Cisco 3750 switch with a failing ASIC chipset
Cisco bug(?) verify command on 3750 switch
Running a basic BIND DNS Server
Cisco ASA Static command to create a translation
Converting Putty SSH keys to SecureCRT keys
