In Firewall Cisco ASA, for traffic to pass through interfaces, several conditions must be met. Since we are talking here for internal and external interfaces, this means from higher security level (inside) to lower security level (external). . The most important conditions to check here are NAT (if used) and access control list (ACL). See more details below:
Traffic flows from inside to outside using NAT (Traffic from inside to outside using NAT)
This is the most common scenario. NAT is most commonly used in real networks to hide the internal network and translate non-routable private IP addresses (internal network) to publicly routable IP addresses on the outside (IP Public).
We can have two types of NAT:
- Dynamic NAT (Dynamic NAT) with PAT (Port Address Translation)
- Static NAT (Static NAT)
Here we will look at the most common scenario which is PAT. This is the translation many-to-one Allows translation of all internal IP addresses through a single Public IP address assigned by the ISP and exists on the outside of the ASA.
For the ASA to keep track of all these many-to-one translations, it uses port numbers. Each different port is assigned a different internal IP address.
Let’s look at the configuration that allows all traffic from inside to outside using PAT:
Assume the following:
Inside LAN range (LAN range): 192.168.1.0/24
Public IP addresses available (available public IP address): 100.100.100.1 – 100.100.100.32
ASA outside interface IP address (ASA external IP address): 100.100.100.1
Option1 (option 1):
Use the ASA interface IP (100.100.100.1) to translate all internal addresses:
Commands for ASA versions lower than 8.3:
ciscoasa-tgm(config)# nat (inside) 1 192.168.1.0 255.255.255.0
ciscoasa-tgm(config)# global (outside) 1 interface
Commands for ASA versions 8.3 and later:
ciscoasa-tgm(config)# object network internal_lan
ciscoasa-tgm(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa-tgm(config-network-object)# nat (inside,outside) dynamic interface
Option2 (option 2):
Use one of the other available public IP addresses for translation:
Commands for ASA versions lower than 8.3:
ciscoasa-tgm(config)# nat (inside) 1 192.168.1.0 255.255.255.0
ciscoasa-tgm(config)# global (outside) 1 100.100.100.2 netmask 255.255.255.255
Commands for ASA versions 8.3 and later:
ciscoasa-tgm(config)# object network internal_lan
ciscoasa-tgm(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa-tgm(config-network-object)# nat (inside,outside) dynamic 100.100.100.2
Now we need to look at the commands in our access list (ACL). By default, if you do not apply an access list on the internal interface, all traffic is allowed through because internal is the highest security level (100).
However, if you apply an access list to an internal interface, you must explicitly allow all IP traffic to pass through using an ACL.
ciscoasa-tgm(config)#access-list INSIDE_IN extended permit ip any any
ciscoasa-tgm(config)# access-group INSIDE_IN in interface inside
Traffic flows from inside to outside without NAT (Traffic from inside to outside without NAT)
There are some cases where we don’t want inside-out NAT. In this case, Firewall Cisco ASA works like a router but it still applies firewall inspection to the traffic. All you have to do here is disable NAT and then allow traffic using ACL:
ciscoasa-tgm(config)#no nat-control
ciscoasa-tgm(config)#access-list INSIDE_IN extended permit ip any any
ciscoasa-tgm(config)# access-group INSIDE_IN in interface inside
Good luck!
Xem tiếp...