Link to home
Start Free TrialLog in
Avatar of juggernaughty
juggernaughty

asked on

Basic NAT/Access List setup for 3-leg network

Experts,

I need help configuring an ASA 5505 with a security plus license.I have split up the interfaces between three VLANs (Internal), (external), (DMZ). I am new to Cisco so please be verbose. Below I have a list of requirements and also a list of questions pertaining to them.

Specs:
ASA Version: 7.2(3)
ASDM Version: 5.2(3)
Firewall Mode: Routed
Context Mode: Single
In the Attached Picture is the network number scheme that will be used.

Configuration Requirements:
- (Internal) clients need to be able to communicate with devices on the Internet.
- (Internal) clients need to be able to communicate with some (DMZ) clients.
- (External) clients need to be able to communicate with (DMZ) servers.
** - Down the road I want to be able to remotely VPN into the ASA.


Questions:

1. What do I need to configure to allow (internal) resources to access (DMZ) resources? Since all interfaces are a part of the ASA do I need to do any type of routing for the two to talk to each other?

2. What kind of access lists will need to be created for question 1.? Can you give me an example using the attached picture?

3. Configuring NAT: The device came pre-configured so that (internal) resources could access (outside) resources using dynamic NAT. The rule looks like this:
Real address: interface inside, IP address: 0.0.0.0, Netmask: 0.0.0.0
Dynamic Translation: interface: outside
-->What does all 0's mean in the IP and netmask?

4. Should I use static NAT with PAT if I want (external) resources to access specific (DMZ) resources over a specified port?

5. Pertaining to question 4., if I use PAT will the ASA drop any (external) incoming traffic that is not specified for a configured port? For example, if I have a web server and an SMTP spam filter device in the (DMZ) will the ASA only allow traffic that is defined for ports 25 and 80\443 from (external) interface?


Thank you in advance for your time and effort.

asa.bmp
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
:)  gotta love the long answers.  by the time you post, someone already beat you to it.
It's all good...:)...the more info they have, the better, in my opinion...
especially in the firewall area; seems like everyone has their own little ways of doing things
That's true...
Avatar of tjtressel
tjtressel

Batry Boy:

Thanks for the quick detailed response....its impressive. I have to say that I've gotten a lot of good EE answers in the past, but these are both perfect. I have a few follow up questions so that I can understand better what you are explaining.

1. I understand that an ACL is not needed since the security levels for each interface will take care of that. I'm not quite getting how that NAT command you gave works. Maybe you could explain how translating an address to itself works? Why do any translation at all? Or if you want to point me to good documentation that will work too.

4. A few questions about the command you have specified here:
static (dmz,outside) tcp interface smtp 10.30.30.20 smtp netmask 255.255.255.255

- when you list (dmz,outside) does the order matter?
- Could you explain why the netmask is 255.255.255.255 instead of 255.0.0.0 like you usually see with 10.x.x.x networks?
- Why is SMTP or WWW listed a second time in each command?
- Since these commands use SMTP or WWW instead of the actual port numbers, is there a list out there somewhere that I can compare the port numbers to the names Cisco uses in their commands?


Thank you again for all your help.

1.  translations are required or packets can't traverse interfaces.  The reason to translate it to itself is to maintain the IP address integrity.  Its essentially a no nat between interfaces really

4. yes, order matters
the 255.255.255.255 because you want it to match the exact IP not a network
the reason is because the first one specifies the public port, the second is the port its mapped to internally
not sure about a list of names
Cyclops - Can I use port redirection from on port publically and then redirect it to another port internally? For example, if I have a connection come in publically via 80 can I redirect it to a non-standard port internally?

Thanks again for the support.
Avatar of juggernaughty

ASKER

I'm very impressed the way both of you handled this question. Fantastic support. Thank you for your time.
>>1. I understand that an ACL is not needed since the security levels for each interface will take care of that. I'm not quite getting how that NAT command you gave works. Maybe you could explain how translating an address to itself works? Why do any translation at all? Or if you want to point me to good documentation that will work too.

Back in the old days when you just had the PIX code to work with, you were forced to translate addresses if you wanted to allow traffic flow between interfaces.  In recent times, however, Cisco has changed the rules such that you can disable NAT with a command called "nat-control", so this really isn't true anymore.  So, in other words, you are correct in your statement that nowadays you really don't have to translate at all if you wish.  However, you must translate going to the outside since you need a public routable IP address for Internet traffic routing to work properly.

>> when you list (dmz,outside) does the order matter?

Yes, it does.  You list the higher security level interface first, then the lower security level last.

>> Could you explain why the netmask is 255.255.255.255 instead of 255.0.0.0 like you usually see with 10.x.x.x networks?

You use the 32 bit netmask because you only want to set up this translation to affect a single IP address rather than a whole subnet worth of addresses.

>>- Why is SMTP or WWW listed a second time in each command?

Because the firewall gives you the option of redirecting a port that traffic was sent to by the original external client on the Internet to a different port on the internal host.  So, for example, say you had 5 internal machines all running RDP and you wanted to be able to use remote desktop to get to all of them.  However, you only had a single public IP address on your outside interface.  You could do something like the following to set up RDP access to the 5 hosts:

static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.1.6 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.1.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3392 192.168.1.8 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3393 192.168.1.9 3389 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside range 3389 3393

From the the outside, if you opened up the RDP client and put in the IP address of the outside interface, you would reach the inside host at 192.168.1.5.  But if you put in <interface_IP>:3390 in your RDP client, you would reach host 192.168.1.6 on your internal network.  If you put in <interface_IP>:3391, you would reach host 192.168.1.7, etc.etc.

This is why Cisco calls this "port redirection"...because you really can redirect what port the traffic is sent to on the destination host because it can be different from the port that the traffic was originally sent to.

>>- Since these commands use SMTP or WWW instead of the actual port numbers, is there a list out there somewhere that I can compare the port numbers to the names Cisco uses in their commands?

Yes, check this out:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ports.html#wp1007738

I need a clarification on these commands that cyclops posted:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) 10.30.30.0 10.30.30.0 netmask 255.255.255.0

1. You said that the higher level interface, or the more secure one should be listed first. Why does the secon one have DMZ first?

2. Why does the second command have a /24 netmask on a 10.x.x.x network?

I have entered these commands on my ASA and I still cannot ping from (inside) to DMZ. The DMZ interface security is 50 and the internal interface is 100. I have to XP machines with their firewalls disabled plugged into a port that is corresponding with each interface. I can't even ping the interfaces which are 192.168.1.1 (internal) and 10.0.0.1 (DMZ).
Post the config and I can help with the pinging.  I'll let cyclops answer those questions you asked...:)
Batry,

This is in essence another question. Should I just create another one?

I think below is what you are asking for. Don't worry about the external stuff, I don't even want to think about that piece just yet, especially since i don't have a static IP yet. I just want my test PC in the (inside) to ping my test pic in (DMZ).

ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 no ip address
!
interface Vlan12
 nameif DMZ
 security-level 50
 ip address 10.0.0.1 255.0.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (DMZ,inside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7747acf6d0ab1f5e275cce655be9dd03
: end
its just a habit of mine to do both (however I don't think you need to do both)

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) 10.30.30.0 10.30.30.0 netmask 255.255.255.0

They just handle the IP translations between the inside and dmz interfaces.  Basically they just ensure that when a host on the dmz subnet communicates to the inside network it translates to its own IP address and the same goes for when a host on the inside communicates to the dmz subnet.

also, by your initial diagram, you had 10.30.30.x as your IP scheme so I assumed you had a /24 mask which is what I'd recommend in your case unless required.  Just because you use the 10.x.y.z scheme doesn't mean you have to use a /8 mask.  Also, if you use a /8 mask, you can't use the static commands I gave, you would need to do a global/nat combination then for IP translation
Put these commands in to be able to ping DMZ hosts from the inside network:

access-list dmz_access_in permit icmp any any echo-reply
access-group dmz_access_in in interface DMZ

That should do it...
Cy - You're right that I didn't match the diagram completely. I guess I was just trying to maximize the hosts by using 10.0.0.0 . In any case, I changed it back to 10.30.30.0 and I also entered in some ICMP commands which are attached below. Maybe the ASA doesn't allow ICMP by default?

Since this has become a different question, I will post a new one for support so that the proper points can be assigned to each of you for helping.



Pinging Through the Security Appliance
After you successfully ping the security appliance interfaces, you should make sure traffic can pass successfully through the security appliance. For routed mode, this test shows that NAT is working correctly, if configured. For transparent mode, which does not use NAT, this test confirms that the security appliance is operating correctly; if the ping fails in transparent mode, contact Cisco TAC.

To ping between hosts on different interfaces, perform the following steps:


--------------------------------------------------------------------------------

Step 1 To add an access list allowing ICMP from any source host, enter the following command:

hostname(config)# access-list ICMPACL extended permit icmp any any
By default, when hosts access a lower security interface, all traffic is allowed through. However, to access a higher security interface, you need the preceding access list.

Step 2 To assign the access list to each source interface, enter the following command:

hostname(config)# access-group ICMPACL in interface interface_name
Repeat this command for each source interface.

Step 3 To enable the ICMP inspection engine, so ICMP responses are allowed back to the source host, enter the following commands:

hostname(config)# class-map ICMP-CLASS
hostname(config-cmap)# match access-list ICMPACL
hostname(config-cmap)# policy-map ICMP-POLICY
hostname(config-pmap)# class ICMP-CLASS
hostname(config-pmap-c)# inspect icmp
hostname(config-pmap-c)# service-policy ICMP-POLICY global
Alternatively, you can also apply the ICMPACL access list to the destination interface to allow ICMP traffic back through the security appliance.

Step 4 Ping from the host or router through the source interface to another host or router on another interface.

Repeat this step for as many interface pairs as you want to check.

If the ping succeeds, you see a system message confirming the address translation for routed mode (305009 or 305011) and that an ICMP connection was established (302020). You can also enter the show xlate and show conns commands to view this information.

If the ping fails for transparent mode, contact Cisco TAC.

For routed mode, the ping might fail because NAT is not configured correctly (see Figure 43-5). This is more likely if you enable NAT control. In this case, you see a system message showing that the NAT translation failed (305005 or 305006). If the ping is from an outside host to an inside host, and you do not have a static translation (which is required with NAT control), you see message 106010: deny inbound icmp.