Communication between interfaces

[teacher12345]

Hello to everyone.

I have a problem so I hope that I will find answer here. I have Cisco ASA5510 who have three separate interface:

- E0/0 Inside segment, sec lvl 80
- E0/1 Servers segment (DMZ), sec lvl 100
- E0/2 Outside (p2p withc Cisco 2811), sec lvl 0

So I want to enable nat-control and I want to allow traffic between lower security level interface to higher and vice versa. I already something configure but I have problem when I want to static nat inside.

Configuration:
ASA Version 8.0(5)

interface Ethernet0/0
description ** p2p CoreSW inside LAN **
nameif inside
security-level 80
ip address 192.168.139.65 255.255.255.252

interface Ethernet0/1
description ** Servers segment 192.168.129.x **
nameif dmz-servers
security-level 100
ip address 192.168.129.1 255.255.255.0

interface Ethernet0/2
description ** p2p Outside C2811 **
nameif outside
security-level 0
ip address 192.168.139.1 255.255.255.192

access-list acl_inside_in remark ** inside interface in **
access-list acl_inside_in extended permit ip any any
access-list acl_outside_in remark ** outside interface in **
access-list acl_outside_in extended permit ip any any
access-list acl_dmz-servers_in remark ** dmz-servers interface in **
access-list acl_dmz-servers_in extended permit ip any any

access-group acl_inside_in in interface inside
access-group acl_dmz-servers_in in interface dmz-servers
access-group acl_outside_in in interface outside

# here I allowed communication between dmz-servers interface and inside, outside interfaces.
nat-control
static (dmz-servers,inside) 192.168.129.0 192.168.129.0 netmask 255.255.255.0
static (dmz-servers,outside) 192.168.129.0 192.168.129.0 netmask 255.255.255.0

# but when I want to allow communication from inside interface to dmz-servers and outside I have a problem.
# This is subnet behinde inside interface :
192.168.128.0/24
192.168.130.0/24
192.168.131.0/24
192.168.132.0/24
192.168.133.0/24
192.168.134.0/24
192.168.135.0/24
192.168.136.0/24
192.168.137.0/24
192.168.138.0/24
192.168.139.0/24
192.168.140.0/24
192.168.141.0/24
192.168.142.0/24
192.168.143.0/24
192.168.144.0/24
192.168.145.0/24
192.168.146.0/24
192.168.147.0/24
192.168.148.0/24
192.168.149.0/24
192.168.150.0/24
192.168.151.0/24
192.168.152.0/24
192.168.153.0/24
192.168.154.0/24
192.168.155.0/24
192.168.156.0/24
192.168.157.0/24
192.168.158.0/24
192.168.159.0/24
192.168.160.0/24
192.168.161.0/24
192.168.162.0/24
192.168.163.0/24
192.168.164.0/24
192.168.165.0/24
192.168.166.0/24
192.168.240.0/24

# I try like this:

static (inside,outside) 192.168.128.0 192.168.128.0 netmask 255.255.128.0

# and get error that subnet 192.168.129.0 is on interface dmz-servers. What is best way to translated and allowed communication between interfaces with?

route outside 0.0.0.0 0.0.0.0 192.168.139.30 1
route inside 192.168.128.0 255.255.128.0 192.168.139.66

Thanks

 

[eladl]

If you want to allow access from lower security (external interface) to the higher security (inside interface), you use the static command, and its better if you specify the IP address and not the entire network scope.
Once you create that static access, you do not have to re-create another static from the higher to lower access. you just need to open ACLs and thats it.

maybe it would be better if you write down the IP addresses of the servers, or what exactly you are trying to open, this way I can write you the exact command.

Elad Levy,
IT Project Manager, CISSP

 

[unclerico]

A question I have is why do you want to use nat-control?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[teacher12345]

Hi,

sorry maybe I not need to use nat-control.. I configured because I think that I will have better security if I use..

Can you tell me when I need this nat-contol ?

Thanks

 

[bannomust]

Hi,
You need a Nat-Control in a case where you need to translate any of the source/destination address when traffic is passing from one interface to another interface.

Nat-Control is only giving the nat funtioanlity nothing else so if you doen't need nat then disable it.

Thanks,
Mustafa Gangardiwala

Mustafa Gangardiwala
CCIE-Security # 16253, CISA
CISM,CISSP,INFOSEC, MCSE, CNE

http://netseczone.blogspot.com

 

[Supergrrover]

Nat-Control is only giving the nat funtioanlity nothing else so if you doen't need nat then disable it.

Actually, nat-control forces the use of natting statments. If there isn't a corresponding nat statement the traffic is denied. Nat-control does not enable or disable the nat ability. You can have natting without that statement in your config.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[vijayakumarg]

can you pls try this,
//purpose of the below command any one can access DMZ server
Nat (dmz-server) 0 192.168.129.0 netmask 255.255.255.0
//outside users want to access the inside network
static (inside,outside) 192.168.128.0 192.168.128.0 netmask 255.255.128.0