• Kiếm tiền với Hostinger

    Kiếm Tiền Cùng Hostinger

    Bạn đang tìm kiếm cách kiếm thêm thu nhập online? Hãy tham gia ngay chương trình Affiliate của Hostinger! Với mỗi khách hàng đăng ký thông qua liên kết của bạn, bạn sẽ nhận được khoản hoa hồng hấp dẫn.

    Hostinger cung cấp các dịch vụ lưu trữ web (hosting) chất lượng cao với mức giá cạnh tranh, giúp bạn dễ dàng giới thiệu và thu hút người dùng.

    Đừng bỏ lỡ cơ hội tuyệt vời này để tăng thêm thu nhập thụ động.

    Tham Gia Ngay

Allow traffic from inside to outside in the Cisco ASA Firewall

TigerDao

Administrator
Thành viên BQT
In Firewall Cisco ASA, for traffic to pass through interfaces, several conditions must be met. Since we are talking here for internal and external interfaces, this means from higher security level (inside) to lower security level (external). . The most important conditions to check here are NAT (if used) and access control list (ACL). See more details below:

Traffic flows from inside to outside using NAT (Traffic from inside to outside using NAT)

This is the most common scenario. NAT is most commonly used in real networks to hide the internal network and translate non-routable private IP addresses (internal network) to publicly routable IP addresses on the outside (IP Public).

We can have two types of NAT:

  1. Dynamic NAT (Dynamic NAT) with PAT (Port Address Translation)
  2. Static NAT (Static NAT)

Here we will look at the most common scenario which is PAT. This is the translation many-to-one Allows translation of all internal IP addresses through a single Public IP address assigned by the ISP and exists on the outside of the ASA.

For the ASA to keep track of all these many-to-one translations, it uses port numbers. Each different port is assigned a different internal IP address.

Let’s look at the configuration that allows all traffic from inside to outside using PAT:

Assume the following:

Inside LAN range (LAN range): 192.168.1.0/24
Public IP addresses available (available public IP address): 100.100.100.1 – 100.100.100.32
ASA outside interface IP address (ASA external IP address): 100.100.100.1

Option1 (option 1):

Use the ASA interface IP (100.100.100.1) to translate all internal addresses:

Commands for ASA versions lower than 8.3:

ciscoasa-tgm(config)# nat (inside) 1 192.168.1.0 255.255.255.0
ciscoasa-tgm(config)# global (outside) 1 interface

Commands for ASA versions 8.3 and later:

ciscoasa-tgm(config)# object network internal_lan
ciscoasa-tgm(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa-tgm(config-network-object)# nat (inside,outside) dynamic interface

Option2 (option 2):


Use one of the other available public IP addresses for translation:

Commands for ASA versions lower than 8.3:

ciscoasa-tgm(config)# nat (inside) 1 192.168.1.0 255.255.255.0
ciscoasa-tgm(config)# global (outside) 1 100.100.100.2 netmask 255.255.255.255

Commands for ASA versions 8.3 and later:

ciscoasa-tgm(config)# object network internal_lan
ciscoasa-tgm(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa-tgm(config-network-object)# nat (inside,outside) dynamic 100.100.100.2


Now we need to look at the commands in our access list (ACL). By default, if you do not apply an access list on the internal interface, all traffic is allowed through because internal is the highest security level (100).

However, if you apply an access list to an internal interface, you must explicitly allow all IP traffic to pass through using an ACL.

ciscoasa-tgm(config)#access-list INSIDE_IN extended permit ip any any
ciscoasa-tgm(config)# access-group INSIDE_IN in interface inside


Traffic flows from inside to outside without NAT (Traffic from inside to outside without NAT)

There are some cases where we don’t want inside-out NAT. In this case, Firewall Cisco ASA works like a router but it still applies firewall inspection to the traffic. All you have to do here is disable NAT and then allow traffic using ACL:

ciscoasa-tgm(config)#no nat-control
ciscoasa-tgm(config)#access-list INSIDE_IN extended permit ip any any
ciscoasa-tgm(config)# access-group INSIDE_IN in interface inside


Good luck!

Xem tiếp...
 
Top