Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Using ASA 5510 without NAT

Status
Not open for further replies.
Couz69

Couz69

ISP
Mar 8, 2007
2
FR
Hello,

I am trying to configure a new ASA without NAT.
I need to be able to access my server in dmz using his PUB ip address whithout NAT.

Could you let me know how to configure this ?

My config :

interface Ethernet0/0
nameif outside
security-level 0
ip address 82.81.80.79 255.255.255.248
!
interface Ethernet0/1
nameif dmz
security-level 100
ip address 79.78.77.76 255.255.255.248
!
interface Management0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only

Do you know if this design have security issue ?

Thanks for you help
 
Sort by date Sort by votes
Hope this helps.

Something to remember is that the different security levels have default permits and denies attached to them depending upon the flow of traffic.

example:

Higher number ---> lower number (default permit)
security level-100 ---> security level-0

Lower number ---> higher number (default deny)
security level-0 ---> security level-100

also, security levels of the same level cannot talk to one another by default.

security level-100 <--denied--> security level-100

You have to specifically allow them to do so (sorry can't think of the exact command).

What you may want to do is this:

outside (security level-0)
DMZ (security level-50)
inside (security level-100)

By default, this will allow inside traffic to travel to each of the other zones, by not the other way around (unless established).

By using ACLs you can then explicitly permit traffic to come back in as necessary (such as smtp, http, etc going to the DMZ).

For the NAT part, you can specify NAT exemptions for traffic based upon source and destination. That would allow you to exempt traffic from being NATed when going from inside to the DMZ.

Sorry I don't have command examples. It's late here, and getting tired. If you haven't done so already, you may want to download an ASA configuration guide from Cisco.com. They have some decent examples for NAT and exemptions.




BierHunter
CNE, MCSE, CCNP, CISS
 
Upvote 0 Downvote
Hi BierHunter,

Thank you for your answers.

Actually I have configured the asa with

outside (security level-0)
DMZ (security level-20)
management(security level-100)

the config for the static nat is :

static (dmz,outside) 81.X.Y.Z 81.X.Y.Z netmask 255.255.255.255

Thanks again for your help
Couz
 
Upvote 0 Downvote
The static NAT is not enough. As mentioned by Couz69, going from a higher number to a lower number is allowed by default but from a lower number to a higher number is denied.

On top of the static NAT, you need to apply an access-list to "allow" certain traffic from lower (0) to higher (20).
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
309
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
280
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
187
gkreg
gkreg
phjames
  • Locked
  • Question
Replacement for ASA-5510
Replies
1
Views
94
ADB100
ADB100
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
198
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top