Cisco ASA – simple 1 to 1 NAT and firewall policy setup

For those who had been working with Cisco routers, setting up a Cisco ASA stateful policy is as simple as setting up an ACL.  By default, ASA would drop any TCP connection that doesn’t have a session record created with a sync packet. In that case user doesn’t require to a setup ACL for return traffic like working with routers.

In this example, we have 192.168.104.250/32 as the server in the DMZ and have the have NAT 1 to 1 incoming traffic mapping applied to allow internet user accessing the http service only.

The IP address of the firewall is 10.50.2.10/29, and we will assign the mapping of the server to another external IP address of 10.50.2.11

20161215-vasa-lab-nat
object network 10.50.2.11_32
subnet 10.50.2.11 255.255.255.255

object network 192.168.104.250_32
host 192.168.104.250

nat (untrust,DMZ) source static any any destination static 10.50.2.11_32 192.168.104.250_32 unidirectional     <– this is the twice NAT one to one mapping for incoming traffic only. when traffic from 192.168.104.250 accessing the internet, the packet of the source address WILL NOT translated to 10.50.2.11 in this case.

access-list untrust_in extended permit icmp any4 any4     <– this is to allow the firewall and the mapped device to take response to the icmp packets.
access-list untrust_in extended permit tcp any4 host 192.168.104.250 eq www     <– this is to allow any IPv4 address to access 192.168.104.250 s tcp 80 port.

access-group untrust_in in interface untrust     <– this is to apply the firewall filter as the ingress filter in the untrust interface.
To test the policy settings, we can use packet-tracer in the ASA itself.
net-vASA-AS5052-F14# packet-tracer input untrust tcp 8.8.8.8 12345 10.50.2.11 80
(the 8.8.8.8 is a random source address, the 12345 from source port is randomly made since high ports are used for initialing a traffic, 80 is the destination port)
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (untrust,DMZ) source static any any destination static 10.50.2.11_32 192.168.104.250_32 unidirectional
Additional Information:
NAT divert to egress interface DMZ
Untranslate 10.50.2.11/80 to 192.168.104.250/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group untrust_in in interface untrust
access-list untrust_in extended permit tcp any4 host 192.168.104.250 eq www
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (untrust,DMZ) source static any any destination static 10.50.2.11_32 192.168.104.250_32 unidirectional
Additional Information:
Static translate 8.8.8.8/12345 to 8.8.8.8/12345

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,untrust) source static 192.168.104.250_32 untrust-111.111.111.111_32
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 29, packet dispatched to next module

Result:
input-interface: untrust
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

The test result shows that the firewall will ALLOW any packets with destination port of 80 to the server.


Since we have perform a 1 to 1 incoming mapping to the server, would https services in the server be able to access by the internet users as well? We could use packet tracer to check with again.

net-vASA-AS5052-F14# packet-tracer input untrust tcp 8.8.8.8 12345 10.50.2.11 443
(the 12345 from source port is randomly made since high ports are used for initialing a traffic, 443 is the destination port)

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (untrust,DMZ) source static any any destination static 10.50.2.11_32 192.168.104.250_32 unidirectional
Additional Information:
NAT divert to egress interface DMZ
Untranslate 10.50.2.11/443 to 192.168.104.250/443

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: untrust
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The test result shows that the firewall will DROP any packets with destination port of 443 to the server. The beaut of packet tracer would provide the drop reason, and in this case, it means the packet was drop due to no allowed policy applied.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s