I will click on the browse button to choose the network object. To choose the destination, we can use the network object we created for the web server during our NAT configuration. Since we do not know all the hosts that might come from the outside, we will use the “any” keyword for the source address. I will click on the Add button to add a new access rule. Keep in mind that the implicit rules cannot be edited or deleted. For example, the first row shows the implicit rule that permits traffic from the DMZ to any less secure network. These rules implement the default traffic flow that we discussed above. Notice from the above that there are already some implicit rules for the various zones. To configure an access rule using ASDM, I will navigate to Configuration > Firewall > Access Rules. If you want to confirm which IP address will be used, you can match both of them (real and mapped) in the access list, initiate a connection, and see which one of the entries has an increased hit count. However, with newer ASA images, the real IP address is always used. For example, if you are applying the access list on the outside interface and you have a NAT rule where the outside interface is the mapped interface, then you will use the mapped IP address. In our scenario, for example, the DMZ web server should be accessible from the outside on port 80, so we can create an access list to allow this communication.Īnother question that arises is: “What IP address should we match in the access list, the real IP address or the mapped IP address?” The answer to that question is: “It depends on the ASA version you are working with.” In older ASA versions, it was dependent on where the access list was being applied. Keeping this concept in mind, how then do we allow traffic to flow from a lower security level interface to a higher security level interface? We make use of access control rules, i.e., access control lists. The diagram below further explains this concept: It states that traffic will only flow from a higher security level interface (or zone) to a lower security level interface, but not vice versa.
Why is that? It is always good to remember the default traffic flow on the ASA. Notice that the ASA is denying the inbound TCP connection to the web server. I enabled logging on the ASA while attempting that telnet session and the message I got on the console is shown below: But can a host on the outside connect to the web server? Let’s check this: I will attempt to open an HTTP connection (using telnet) from the Internet-RTR to the web server. We saw that the DMZ web server could open a connection to the outside and that connection was seen as coming from a source IP address of 192.168.20.20 (the mapped IP address). In this article, we will consider access control policies specifically to ensure that hosts from the outside can access the DMZ server.Īs we mentioned in the previous post, static NAT allows for bidirectional communication. We also looked at how proxy ARP helps NAT and what to do when proxy ARP is disabled. In the last article of this ASDM series, we configured static NAT for a DMZ web server to be accessible from the outside.
0 kommentar(er)
