Cisco ASA – Commands for...l, and ACLs « movement3

Embed Size (px)

Citation preview

  • 7/28/2019 Cisco ASA Commands for...l, and ACLs movement3

    1/4

    movement3

    cat thoughts > /dev/null

    Home

    About

    Type ex o search here...

    Home>Networking> Cisco ASA Commands for NAT, Static, Global, and ACLs

    Cisco ASA Commands for NAT, Static, Global, and ACLs

    March 31, 2011 movement3

    Cisco ASA security levels:

    0 is the Internet

    50 is the DMZ

    100 is the Inside

    Traffic fromhigher level is allowed to flow to lowersecurity levels. Traffic fromlower to higher is not allowed.

    NAT (inside) 1 192.168.1.0 255.255.255.0.Global (outside) 1 2.2.2.2 orglobal (outside) 1 interface

    The 1 is the NAT ID, it will be associated with the global ID.

    The 0 NAT ID is used to prevent a group ofaddresses frombeing translated.

    Example 1

    Creating an Internet Only DMZ and needing to access a IP address on the DMZ to the inside. This might be handy ifyou have an Internet only guest VLAN

    but allow your visitors to connect to printers on your Internal network.

    Step 1

    To allow the DMZ to contact the inside, you will need to configure an ACL.

    access-list DMZ11 extended permit tcp host 10.3.0.20 10.115.2.0 255.255.255.0access-list DMZ11 extended permit tcp host 10.3.0.20 10.4.144.0 255.255.255.0

    access-list DMZ11 extended permit tcp host 10.3.0.20 10.0.104.0 255.255.255.0

    access-list DMZ11 extended deny ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.255.0

    access-list DMZ11 extended permit ip 10.3.0.0 255.255.255.0 any

    access-group DMZ11 in interface DMZ11

    The above ACL will allow 10.3.0.20 to reach certain subnets on the 10.0.0.0/8 subnet. It will deny 10.3.0.0/24 any other access to the 10.0.0.0/8 subnet. Then

    it will allow 10.3.0.0/24 to access any other IP address (out to the Internet).

    Step 2

    In additional to the ACL, you need to create a NAT statement so 10.0.0.0/8 will not get translated when it tries to access 10.3.0.20.

    access-list nonatdmz extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.0.0.0

    nat (DMZ11) 0 access-list nonatdmz

    This ACL with the included NAT statement will prevent translation on 10.0.0.0/8 to 10.3.0.0/24. The the DMZ11 ACL is used in tandemto permit or deny

    access. With the NAT statement, pings fromthe DMZ will not reach 10.0.0.0/8 even ifthe ACL is allowing access. To allow DMZ to ping 10.0.0.0/8, you will

    need a static statement.

    Static (inside, dmz) 10.3.0.0 10.3.0.0 netmask 255.255.255.0

    Static commands are used fortraffic flows fromlower to higher

    Outside > DMZ > Inside

    NAT commands are used for traffic flows from higher to lower

    Inside > DMZ > Outside

    Example 2

    Allowing a web server on the DMZ access to the Internet and certain servers on the inside

    Step 1

    Create the ACL allowing the DMZ host access to the inside

  • 7/28/2019 Cisco ASA Commands for...l, and ACLs movement3

    2/4

    access-list DMZ extended permit tcp host 10.3.0.20 host 10.0.44.232 eq www

    access-list DMZ extended permit tcp host 10.3.0.20 host 10.0.44.233 eq www

    access-group DMZ in interface DMZ

    Step 2

    Allowing the Internet access to the DMZ web server

    access-list enter extended permit tcp any host 1.1.1.1 eq www

    access-group enter in interface outside

    Step 3

    Creating the Static command fortraffic flow fromlower to higher

    Outside > DMZ

    static (DMZ,outside) 1.1.1.1 10.3.0.20 netmask 255.255.255.255

    Ifyou notice the last two lines in the DMZ11 ACL, there is a deny statement, thenpermit statement. This is needed due the implicit deny statement. The other

    guest machines are on the DMZ and need access to the Internet. This DMZ segment is different than an Internet Only DMZ, where only a few known servers

    live on this DMZ. The static statement allows the server access to the outside interface.

    Step 4

    Creating the NAT command for traffic flow from higher to lower (aka do not NAT this traffic)

    access-list nonat extended permit ip 10.0.44.0 255.255.255.0 10.0.44.0 255.255.255.0

    nat (inside) 0 access-list nonat

    Updated: 06/22/2011

    Here is an example where our MPLS router was down and I needed to gain SSH access. I opened a NAT translation fromthe ASA to the MPLS router and

    removed it as soon I finished entering my commands.

    access-list outside extended permit ip any host 1.1.1.2

    static (inside,outside) 1.1.1.2 10.44.4.1 netmask 255.255.255.255

    access-group outside in interface outside

    To allow only SSH, try the ACL below, I did not test it though, but should work.

    access-list outside extended permit tcp any host 1.1.1.2 eq ssh

    To remove access

    no access-list outside extended permit ip any host 1.1.1.2

    no static (inside,outside) 1.1.1.2 10.44.4.1 netmask 255.255.255.255

    no access-group outside in interface outside

    http://www.streetdirectory.com/travel_guide/115482/security/eight_base_commands_of_cisco_asa_security_appliance.html

    http://www.alfredtong.com/cisco/security-cisco/demystifying-asapix-nat-0-vs-static/

    Google search: Traffic between DMZ and Internal on Cisco ASA 5520 (Experts Exchange link)

    Google search: Cisco ASA-5505 DMZ to Inside Network access and Outside to DMZ access (Experts Exchange link)

    Be the first to like this.

    Categories:Networking

    Basic BGP configConfigure Wireless with SSL certs and Windows auth

    RSS feed

    Recent Posts

    Configuring MAC address filtering with WLC via Cisco ACS 4.2

    Cisco 3750 switch with a failing ASIC chipset

    Cisco bug(?) verify command on 3750 switch

    Running a basic BIND DNS Server

    Cisco ASA Static command to create a translation

    Converting Putty SSH keys to SecureCRT keys

  • 7/28/2019 Cisco ASA Commands for...l, and ACLs movement3

    3/4

  • 7/28/2019 Cisco ASA Commands for...l, and ACLs movement3

    4/4

    December 2007

    November 2007

    October 2007

    September 2007

    August 2007

    July 2007

    June 2007

    May 2007

    April 2007

    January 2007

    September 2006

    June 2006

    May 2006

    April 2006

    March 2006

    February 2006

    January 2006

    December 2005

    November 2005

    October 2005

    September 2005

    August 2005

    July 2005

    June 2005

    May 2005

    April 2005

    March 2005

    Meta

    Register

    Log in

    TopWordPress

    Blog at WordPress.com. Theme: INovebyNeoEase.