There is a default route in place, which sets the next-hop to be the ISP gateway. The ASA's outside interface is configured with an IP address obtained from the ISP. Here you can see that the ASA's inside interface is set with the IP address of 192.168.0.1, and it is the default gateway for the internal hosts. The interface configuration and IP addresses for the example are seen here: interface Ethernet0/0 The DMZ segment, where the web server resides, is connected to Ethernet0/2 and labelled as DMZ with a security level of 50. The internal network has been connected to Ethernet0/1 and labelled as inside with a security level of 100. The ISP network segment is connected to the Ethernet0/0 interface and labelled outside with a security level of 0. The basic ASA configuration setup is three interfaces connected to three network segments. See the Information About NAT section of Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1 for more information about NAT. This complicates this NAT type, and as a result it can not be used in this configuration example. Manual NAT is more robust in its granularity, but it requires that the lines be configured in the correct order so that it can achieve the correct behavior. For example, you cannot make a translation decision based on the destination in the packet as you could with the second type of NAT, Manual Nat. This is the easiest form of NAT, but with that ease comes a limitation in configuration granularity. One primary advantage of this NAT method is that the ASA automatically orders the rules for processing in order to avoid conflicts. An example of this is provided later in this document. The first of the two, Object NAT, is configured within the definition of a network object. NAT on the ASA in version 8.3 and later is broken into two types known as Auto NAT (Object NAT) and Manual NAT (Twice NAT). See the Configuring Access Rules section of Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1 for more information about ACLs. This means that for 8.3 and later code, and this document, traffic to the host's real IP is permitted and not the host's translated IP. In version 8.3 and later code, the ASA untranslates that packet before it checks the interface ACLs. In other words, the ACL had to permit the packet as if you were to capture that packet on the interface. In earlier versions of ASA code (8.2 and earlier), the ASA compared an incoming connection or packet against the ACL on an interface without untranslating the packet first. This behavior can also be overridden with an ACL. Also the ASA, by default, allows traffic from higher to lower security interfaces. This can be overridden by an ACL applied to that lower security interface. By default, traffic that passes from a lower to higher security level is denied. Access Control List OverviewĪccess Control Lists (Access-lists or ACLs for short) are the method by which the ASA firewall determines if traffic is permitted or denied. Allow hosts on the Internet to access a web server on the DMZ with an IP address of 192.168.1.100.īefore you perform the steps that must be completed in order to accomplish these two goals, this document briefly goes over the way ACLs and NAT work on the newer versions of ASA code (version 8.3 and later).Allow hosts on the inside and DMZ outbound connectivity to the Internet.In this example configuration, you can look at what NAT and ACL configurations are needed in order to allow inbound access to a web server in the DMZ of an ASA firewall, and allow outbound connectivity from internal and DMZ hosts. If you use a platform such as an ASA 5505, which uses VLANs instead of a physical interface, you need to change the interface types as appropriate. It was written with an Adaptive Security Appliance (ASA) 5510 firewall than runs ASA code version 9.1(1), but this can easily apply to any other ASA firewall platform. This document describes a simple and straightforward example of how to configure NAT and ACLs on an ASA Firewall in order to allow outbound as well as inbound connectivity. If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment. The information in this document is based on an ASA 5510 firewall that runs ASA code version 9.1(1). There are no specific requirements for this document. This document describes how to configure Network Address Translation (NAT) and Access Control Lists (ACLs) on an ASA Firewall.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |