Pages

Tuesday 8 May 2012


How can we allow whole traffic in ASA from inside to outside


In ASA, for traffic to pass through interfaces, several conditions must be met. Since we are talking here for inside and outside interfaces, this means from higher security level (inside) to lower security level (outside). The most important conditions to examine here is the NAT (if used) and the access control list. Lets see more details below:

Traffic from inside to outside using NAT
This is the most common scenario. NAT is most commonly used in real networks to hide the internal network range and to translate the non-routable private addresses (internal network) to publicly routable IP addresses on the outside.
We can have two types of NAT:

Dynamic NAT (with Port Address Translation – PAT being a subcategory of this)
Static NAT (internal addresses are permanently mapped to external public addresses)Here we will examine the most common scenario which is PAT. This is a many-to-one translation which allows us to translate all internal IP addresses into a single public IP address which is assigned to us by the ISP and exists on the outside of the ASA. For ASA to keep track of all these many-to-one translations, it uses port numbers. A different port number (out of the range of 65000) is assigned to a different internal IP address.

Lets see the configuration for allowing all traffic from inside to outside using PAT:
Assume the following:
inside LAN range: 192.168.1.0/24
Public IP addresses available: 100.100.100.1 – 100.100.100.32
ASA outside interface IP address: 100.100.100.1

Option1:
Using the ASA interface IP (100.100.100.1) to translate all internal addresses:
ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0
ciscoasa(config)# global (outside) 1 interface

Commands for ASA version 8.3 and later:
ciscoasa(config)# object network internal_lan
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface

Option2:
Using one of the other available public IP addresses for translation:
ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0
ciscoasa(config)# global (outside) 1 100.100.100.2 netmask 255.255.255.255

Commands for ASA version 8.3 and later:
ciscoasa(config)# object network internal_lan
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic 100.100.100.2

After taking care of the NAT commands, we need to see our access-list commands. By default, if you don’t have an access-list applied on the inside interface, then all traffic is allowed to pass because the inside is the highest security level (100). However, if for any reason you apply an access-list to the inside interface, then you must explicitly allow all IP traffic to pass using the ACL.

ciscoasa(config)#access-list INSIDE_IN extended permit ip any any
ciscoasa(config)# access-group INSIDE_IN in interface inside

Traffic from inside to outside without NAT
There are some cases where we don’t want to have NAT between inside to outside. In this scenario, the ASA works like a router but it still applies firewall inspection to the traffic. All you have to do here is to disable NAT and then allow traffic with an ACL:

ciscoasa(config)#no nat-control
ciscoasa(config)#access-list INSIDE_IN extended permit ip any any
ciscoasa(config)# access-group INSIDE_IN in interface inside

No comments:

Post a Comment