{"id":736,"date":"2016-12-15T11:17:34","date_gmt":"2016-12-15T03:17:34","guid":{"rendered":"https:\/\/networkingnotesblog.wordpress.com\/?p=736"},"modified":"2016-12-15T11:17:34","modified_gmt":"2016-12-15T03:17:34","slug":"cisco-asa-simple-nat-and-firewall-policy-setup","status":"publish","type":"post","link":"http:\/\/notes4it.com\/?p=736","title":{"rendered":"Cisco ASA – simple 1 to 1 NAT and firewall policy setup"},"content":{"rendered":"

For those who had been working with Cisco routers, setting up a Cisco ASA stateful policy is as simple as setting up an ACL. \u00a0By default, ASA would drop any TCP connection that doesn’t have a session record created with a sync packet. In that case user doesn’t require to a setup ACL for return traffic like working with routers.
\nIn this example, we have 192.168.104.250\/32 as the server in the DMZ and have the have NAT 1 to 1 incoming traffic mapping applied to allow internet user accessing the http service only.
\nThe IP address of the firewall is 10.50.2.10\/29, and we will assign the mapping of the server to another external IP address of 10.50.2.11
\n\"20161215-vasa-lab-nat\"<\/a>
\nobject network 10.50.2.11_32
\nsubnet 10.50.2.11 255.255.255.255
\nobject network 192.168.104.250_32
\nhost 192.168.104.250
\nnat (untrust,DMZ) source static any any destination static 10.50.2.11_32 192.168.104.250_32 unidirectional \u00a0 \u00a0 <– this is the twice\u00a0NAT one to one mapping for incoming traffic only. when traffic from 192.168.104.250 accessing the internet, the packet of the source address WILL NOT translated to 10.50.2.11 in this case.
\naccess-list untrust_in extended permit icmp any4 any4 \u00a0 \u00a0 <– this is to allow the firewall and the mapped device to take response to the icmp packets.
\naccess-list untrust_in extended permit tcp any4 host 192.168.104.250 eq www \u00a0 \u00a0 <– this is to allow any IPv4 address to access 192.168.104.250 s tcp 80 port.
\naccess-group untrust_in in interface untrust \u00a0 \u00a0 <– this is to apply the firewall filter as the ingress filter in the untrust interface.
\nTo test the policy settings, we can use packet-tracer in the ASA itself.
\nnet-vASA-AS5052-F14# packet-tracer input untrust tcp 8.8.8.8<\/span> 12345<\/span> 10.50.2.11 80<\/span>
\n(the 8.8.8.8<\/span> is a random source address, the 12345<\/span> from source port is randomly made since high ports are used for initialing a traffic, 80<\/span>\u00a0is the destination port)
\nPhase: 1
\nType: UN-NAT
\nSubtype: static
\nResult: ALLOW
\nConfig:
\nnat (untrust,DMZ) source static any any destination static 10.50.2.11_32 192.168.104.250_32 unidirectional
\nAdditional Information:
\nNAT divert to egress interface DMZ
\nUntranslate 10.50.2.11\/80 to 192.168.104.250\/80
\nPhase: 2
\nType: ACCESS-LIST
\nSubtype: log
\nResult: ALLOW
\nConfig:
\naccess-group untrust_in in interface untrust
\naccess-list untrust_in extended permit tcp any4 host 192.168.104.250 eq www
\nAdditional Information:
\nPhase: 3
\nType: NAT
\nSubtype:
\nResult: ALLOW
\nConfig:
\nnat (untrust,DMZ) source static any any destination static 10.50.2.11_32 192.168.104.250_32 unidirectional
\nAdditional Information:
\nStatic translate 8.8.8.8\/12345 to 8.8.8.8\/12345
\nPhase: 4
\nType: NAT
\nSubtype: per-session
\nResult: ALLOW
\nConfig:
\nAdditional Information:
\nPhase: 5
\nType: IP-OPTIONS
\nSubtype:
\nResult: ALLOW
\nConfig:
\nAdditional Information:
\nPhase: 6
\nType: NAT
\nSubtype: rpf-check
\nResult: ALLOW
\nConfig:
\nnat (DMZ,untrust) source static 192.168.104.250_32 untrust-111.111.111.111_32
\nAdditional Information:
\nPhase: 7
\nType: NAT
\nSubtype: per-session
\nResult: ALLOW
\nConfig:
\nAdditional Information:
\nPhase: 8
\nType: IP-OPTIONS
\nSubtype:
\nResult: ALLOW
\nConfig:
\nAdditional Information:
\nPhase: 9
\nType: FLOW-CREATION
\nSubtype:
\nResult: ALLOW
\nConfig:
\nAdditional Information:
\nNew flow created with id 29, packet dispatched to next module
\nResult:
\ninput-interface: untrust
\ninput-status: up
\ninput-line-status: up
\noutput-interface: DMZ
\noutput-status: up
\noutput-line-status: up
\nAction: allow
\nThe test result shows that the firewall will ALLOW<\/strong>\u00a0any packets with destination port of 80\u00a0to the server.
\n<\/p>\n

\n

Since we have perform a 1 to 1 incoming mapping to the server, would https\u00a0services in the server be able to access by the internet users as well? We could use packet tracer to check with again.
\nnet-vASA-AS5052-F14# packet-tracer input untrust tcp 8.8.8.8 12345<\/span> 10.50.2.11 443
\n(the 12345<\/span> from source port is randomly made since high ports are used for initialing a traffic, 443<\/span> is the destination port)<\/span>
\n<\/span>
\nPhase: 1
\nType: UN-NAT
\nSubtype: static
\nResult: ALLOW
\nConfig:
\nnat (untrust,DMZ) source static any any destination static 10.50.2.11_32 192.168.104.250_32 unidirectional
\nAdditional Information:
\nNAT divert to egress interface DMZ
\nUntranslate 10.50.2.11\/443 to 192.168.104.250\/443
\nPhase: 2
\nType: ACCESS-LIST
\nSubtype:
\nResult: DROP
\nConfig:
\nImplicit Rule
\nAdditional Information:
\nResult:
\ninput-interface: untrust
\ninput-status: up
\ninput-line-status: up
\noutput-interface: DMZ
\noutput-status: up
\noutput-line-status: up
\nAction: drop<\/strong>
\nDrop-reason: (acl-drop) Flow is denied by configured rule
\nThe test result shows that the firewall will DROP<\/strong>\u00a0any packets with destination port of 443 to the server. The beaut of packet tracer would provide the drop reason, and in this case, it means the packet was drop due to no allowed policy applied.<\/p>\n","protected":false},"excerpt":{"rendered":"

For those who had been working with Cisco routers, setting up a Cisco ASA stateful policy is as simple as setting up an ACL. \u00a0By default, ASA would drop any TCP connection that doesn’t have a session record created with a sync packet. In that case user doesn’t require to a setup ACL for return […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,3],"tags":[14,26,46,114,131,187,192,193],"class_list":["post-736","post","type-post","status-publish","format-standard","hentry","category-networking","category-virtualization","tag-asa-en","tag-cisco-en","tag-firewall-en","tag-nat-en","tag-policy-en","tag-twice-nat-en","tag-vasa-en","tag-virtual-en"],"_links":{"self":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts\/736","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=736"}],"version-history":[{"count":0,"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts\/736\/revisions"}],"wp:attachment":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=736"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}