cat thoughts > /dev/null Home About

Type text to search here...

Home > Networking > Cisco ASA – Commands for NAT, Static, Global, and ACLs

Cisco ASA – Commands for NAT, Static, Global, and ACLs
March 31, 2011 movement3 Cisco ASA security levels: 0 is the Internet 50 is the DMZ 100 is the Inside Traffic from higher level is allowed to flow to lower security levels. Traffic from lower to higher is not allowed. NAT (inside) 1 Global (outside) 1 or global (outside) 1 interface The “1” is the NAT ID, it will be associated with the global ID. The “0” NAT ID is used to prevent a group of addresses from being translated.

Example 1
Creating an “Internet Only” DMZ and needing to access a IP address on the DMZ to the inside. This might be handy if you have an Internet only guest VLAN but allow your visitors to connect to printers on your Internal network. Step 1 To allow the DMZ to contact the inside, you will need to configure an ACL. access-list DMZ11 extended permit tcp host access-list DMZ11 extended permit tcp host access-list DMZ11 extended permit tcp host access-list DMZ11 extended deny ip access-list DMZ11 extended permit ip any access-group DMZ11 in interface DMZ11 The above ACL will allow to reach certain subnets on the subnet. It will deny any other access to the subnet. Then it will allow to access any other IP address (out to the Internet). Step 2 In additional to the ACL, you need to create a NAT statement so will not get translated when it tries to access access-list nonatdmz extended permit ip nat (DMZ11) 0 access-list nonatdmz This ACL with the included NAT statement will prevent translation on to The the DMZ11 ACL is used in tandem to permit or deny access. With the NAT statement, pings from the DMZ will not reach even if the ACL is allowing access. To allow DMZ to ping, you will need a static statement. Static (inside, dmz) netmask Static commands are used for traffic flows from lower to higher Outside > DMZ > Inside NAT commands are used for traffic flows from higher to lower Inside > DMZ > Outside

Example 2
Allowing a web server on the DMZ access to the Internet and certain servers on the inside Step 1 Create the ACL allowing the DMZ host access to the inside

4.233 eq www access-group DMZ in interface DMZ Step 2 Allowing the Internet access to the DMZ web server access-list enter extended permit tcp any host 1. access-list outside extended permit tcp any host Cisco 3750 switch with a failing ASIC chipset Cisco bug(?) verify command on 3750 switch Running a basic BIND DNS Server Cisco ASA Static command to create a translation Converting Putty SSH keys to SecureCRT keys .0.1. This is needed due the implicit deny statement.0.255.20 host 10.0.2 10.1.20 netmask 255.255.1. then permit statement. The static statement allows the server access to the outside interface. 1.44.1.streetdirectory. access-list outside extended permit ip any host 1. but should work. try the ACL below.44.255.alfredtong.255 no access-group outside in interface outside where only a few known servers live on this DMZ.2 10.2 no static (inside.44.232 eq www access-list DMZ extended permit tcp host 10.255 If you notice the last two lines in the DMZ11 ACL.0.0 255.4.2 static (inside. I did not test it though.2 eq ssh – To remove access no access-list outside extended permit ip any host 1.1 netmask DMZ extended permit tcp host Google search: Traffic between DMZ and Internal on Cisco ASA 5520 (Experts Exchange link) Google search: Cisco ASA-5505 DMZ to Inside Network access and Outside to DMZ access (Experts Exchange link) Be the first to like this.1.1 eq www access-group enter in interface outside Step 3 Creating the Static command for traffic flow from lower to higher Outside > DMZ static (DMZ.1.255 access-group outside in interface outside To allow only SSH.255.1.1 netmask 255.html http://www. host 10.3. Step 4 Creating the NAT command for traffic flow from higher to lower (aka do not NAT this traffic) access-list nonat extended permit ip 10. This DMZ segment is different than an Internet Only DMZ.44.1.outside) 1.1. I opened a NAT translation from the ASA to the MPLS router and removed it as soon I finished entering my commands. The other guest machines are on the DMZ and need access to the Internet.0 nat (inside) 0 access-list nonat Updated: 06/22/2011 Here is an example where our MPLS router was down and I needed to gain SSH access.1 10.3.1.outside) 1. there is a deny statement.0 255.0 10. Categories: Networking Basic BGP config Configure Wireless with SSL certs and Windows auth RSS feed Recent Posts Configuring MAC address filtering with WLC via Cisco ACS 4.

Using Cisco ACS to limit commands (Shell Command Authorization Sets) Cisco Netflow notes Connecting a switch to a Nexus 2000 Cisco Nexus and vrf for vPC keepalives Categories Database Linux Misc Networking OSX Scripting Windows Windows-ism Blogroll Blog at Archives June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 August 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 .com. Blog at WordPress.

Theme: INove by 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 January 2007 September 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 Meta Register Log in Top WordPress Blog at WordPress. .

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.