Cisco Cisco ASA 5505 Adaptive Security Appliance Manual Técnica
Overview
Goals
In this example configuration, you can look at what NAT and ACL configuration will be needed in
order to allow inbound access to a web server in the DMZ of an ASA firewall, and allow outbound
connectivity from internal and DMZ hosts. This can be summarized as two goals:
order to allow inbound access to a web server in the DMZ of an ASA firewall, and allow outbound
connectivity from internal and DMZ hosts. This can be summarized as two goals:
Allow hosts on the inside and DMZ outbound connectivity to the Internet.
1.
Allow hosts on the Internet to access a web server on the DMZ with an IP address of
192.168.1.100.
192.168.1.100.
2.
Before getting to the steps that must be completed in order to accomplish these two goals, this
document briefly goes over the way ACLs and NAT work on the newer versions of ASA code
(version 8.3 and later).
document briefly goes over the way ACLs and NAT work on the newer versions of ASA code
(version 8.3 and later).
Access Control List Overview
Access Control Lists (Access-lists or ACLs for short) are the method by which the ASA firewall
determines if traffic is permitted or denied. By default, traffic that passes from a lower to higher
security level is denied. This can be overridden by an ACL applied to that lower security interface.
Also the ASA, by default, allows traffic from higher to lower security interfaces. This behavior can
also be overridden with an ACL.
determines if traffic is permitted or denied. By default, traffic that passes from a lower to higher
security level is denied. This can be overridden by an ACL applied to that lower security interface.
Also the ASA, by default, allows traffic from higher to lower security interfaces. This behavior can
also be overridden with an ACL.
In earlier versions of ASA code (8.2 and earlier), the ASA compared an incoming connection or
packet against the ACL on an interface without untranslating the packet first. In other words, the
ACL had to permit the packet as if you were to capture that packet on the interface. In version 8.3
and later code, the ASA untranslates that packet before it checks the interface ACLs. This means
that for 8.3 and later code, and this document, traffic to the host's real IP is permitted and not the
host's translated IP.
packet against the ACL on an interface without untranslating the packet first. In other words, the
ACL had to permit the packet as if you were to capture that packet on the interface. In version 8.3
and later code, the ASA untranslates that packet before it checks the interface ACLs. This means
that for 8.3 and later code, and this document, traffic to the host's real IP is permitted and not the
host's translated IP.
See the
for more information about ACLs.
NAT Overview
NAT on the ASA in version 8.3 and later is broken into two types known as Auto NAT (Object
NAT) and Manual NAT (Twice NAT). The first of the two, Object NAT, is configured within the
definition of a network object. An example of this is provided later in this document. One primary
advantage of this NAT method is that the ASA automatically orders the rules for processing in
order to avoid conflicts. This is the easiest form of NAT, but with that ease comes a limitation in
configuration granularity. For example, you cannot make a translation decision based on the
destination in the packet as you could with the second type of NAT, Manual Nat. Manual NAT is
more robust in its granularity, but it requires that the lines be configured in the correct order so that
it can achieve the correct behavior. This complicates this NAT type, and as a result it will not be
used in this configuration example.
NAT) and Manual NAT (Twice NAT). The first of the two, Object NAT, is configured within the
definition of a network object. An example of this is provided later in this document. One primary
advantage of this NAT method is that the ASA automatically orders the rules for processing in
order to avoid conflicts. This is the easiest form of NAT, but with that ease comes a limitation in
configuration granularity. For example, you cannot make a translation decision based on the
destination in the packet as you could with the second type of NAT, Manual Nat. Manual NAT is
more robust in its granularity, but it requires that the lines be configured in the correct order so that
it can achieve the correct behavior. This complicates this NAT type, and as a result it will not be
used in this configuration example.
See the
for more information about NAT.