Upload
hamdi-kadri
View
216
Download
0
Embed Size (px)
Citation preview
7/28/2019 Cisco ASA Commands for...l, and ACLs movement3
1/4
movement3
cat thoughts > /dev/null
Home
About
Type ex o search here...
Home>Networking> Cisco ASA Commands for NAT, Static, Global, and ACLs
Cisco ASA Commands for NAT, Static, Global, and ACLs
March 31, 2011 movement3
Cisco ASA security levels:
0 is the Internet
50 is the DMZ
100 is the Inside
Traffic fromhigher level is allowed to flow to lowersecurity levels. Traffic fromlower to higher is not allowed.
NAT (inside) 1 192.168.1.0 255.255.255.0.Global (outside) 1 2.2.2.2 orglobal (outside) 1 interface
The 1 is the NAT ID, it will be associated with the global ID.
The 0 NAT ID is used to prevent a group ofaddresses frombeing translated.
Example 1
Creating an Internet Only DMZ and needing to access a IP address on the DMZ to the inside. This might be handy ifyou have an Internet only guest VLAN
but allow your visitors to connect to printers on your Internal network.
Step 1
To allow the DMZ to contact the inside, you will need to configure an ACL.
access-list DMZ11 extended permit tcp host 10.3.0.20 10.115.2.0 255.255.255.0access-list DMZ11 extended permit tcp host 10.3.0.20 10.4.144.0 255.255.255.0
access-list DMZ11 extended permit tcp host 10.3.0.20 10.0.104.0 255.255.255.0
access-list DMZ11 extended deny ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list DMZ11 extended permit ip 10.3.0.0 255.255.255.0 any
access-group DMZ11 in interface DMZ11
The above ACL will allow 10.3.0.20 to reach certain subnets on the 10.0.0.0/8 subnet. It will deny 10.3.0.0/24 any other access to the 10.0.0.0/8 subnet. Then
it will allow 10.3.0.0/24 to access any other IP address (out to the Internet).
Step 2
In additional to the ACL, you need to create a NAT statement so 10.0.0.0/8 will not get translated when it tries to access 10.3.0.20.
access-list nonatdmz extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (DMZ11) 0 access-list nonatdmz
This ACL with the included NAT statement will prevent translation on 10.0.0.0/8 to 10.3.0.0/24. The the DMZ11 ACL is used in tandemto permit or deny
access. With the NAT statement, pings fromthe DMZ will not reach 10.0.0.0/8 even ifthe ACL is allowing access. To allow DMZ to ping 10.0.0.0/8, you will
need a static statement.
Static (inside, dmz) 10.3.0.0 10.3.0.0 netmask 255.255.255.0
Static commands are used fortraffic flows fromlower to higher
Outside > DMZ > Inside
NAT commands are used for traffic flows from higher to lower
Inside > DMZ > Outside
Example 2
Allowing a web server on the DMZ access to the Internet and certain servers on the inside
Step 1
Create the ACL allowing the DMZ host access to the inside
7/28/2019 Cisco ASA Commands for...l, and ACLs movement3
2/4
access-list DMZ extended permit tcp host 10.3.0.20 host 10.0.44.232 eq www
access-list DMZ extended permit tcp host 10.3.0.20 host 10.0.44.233 eq www
access-group DMZ in interface DMZ
Step 2
Allowing the Internet access to the DMZ web server
access-list enter extended permit tcp any host 1.1.1.1 eq www
access-group enter in interface outside
Step 3
Creating the Static command fortraffic flow fromlower to higher
Outside > DMZ
static (DMZ,outside) 1.1.1.1 10.3.0.20 netmask 255.255.255.255
Ifyou notice the last two lines in the DMZ11 ACL, there is a deny statement, thenpermit statement. This is needed due the implicit deny statement. The other
guest machines are on the DMZ and need access to the Internet. This DMZ segment is different than an Internet Only DMZ, where only a few known servers
live on this DMZ. The static statement allows the server access to the outside interface.
Step 4
Creating the NAT command for traffic flow from higher to lower (aka do not NAT this traffic)
access-list nonat extended permit ip 10.0.44.0 255.255.255.0 10.0.44.0 255.255.255.0
nat (inside) 0 access-list nonat
Updated: 06/22/2011
Here is an example where our MPLS router was down and I needed to gain SSH access. I opened a NAT translation fromthe ASA to the MPLS router and
removed it as soon I finished entering my commands.
access-list outside extended permit ip any host 1.1.1.2
static (inside,outside) 1.1.1.2 10.44.4.1 netmask 255.255.255.255
access-group outside in interface outside
To allow only SSH, try the ACL below, I did not test it though, but should work.
access-list outside extended permit tcp any host 1.1.1.2 eq ssh
To remove access
no access-list outside extended permit ip any host 1.1.1.2
no static (inside,outside) 1.1.1.2 10.44.4.1 netmask 255.255.255.255
no access-group outside in interface outside
http://www.streetdirectory.com/travel_guide/115482/security/eight_base_commands_of_cisco_asa_security_appliance.html
http://www.alfredtong.com/cisco/security-cisco/demystifying-asapix-nat-0-vs-static/
Google search: Traffic between DMZ and Internal on Cisco ASA 5520 (Experts Exchange link)
Google search: Cisco ASA-5505 DMZ to Inside Network access and Outside to DMZ access (Experts Exchange link)
Be the first to like this.
Categories:Networking
Basic BGP configConfigure Wireless with SSL certs and Windows auth
RSS feed
Recent Posts
Configuring MAC address filtering with WLC via Cisco ACS 4.2
Cisco 3750 switch with a failing ASIC chipset
Cisco bug(?) verify command on 3750 switch
Running a basic BIND DNS Server
Cisco ASA Static command to create a translation
Converting Putty SSH keys to SecureCRT keys
7/28/2019 Cisco ASA Commands for...l, and ACLs movement3
3/4
7/28/2019 Cisco ASA Commands for...l, and ACLs movement3
4/4
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
January 2007
September 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
Meta
Register
Log in
TopWordPress
Blog at WordPress.com. Theme: INovebyNeoEase.