Hi, quick question regarding the service policy placement on the ASA, not including global because that’s pretty self explanatory. I created just a simple topology where the ASA was in the middle and has 2 routers on either side, the outside interface had a security level of 0 and inside 100, the outside interface is also blocking all traffic coming in. I implemented NAT on the ASA as well to change the inside network IP’s to the outside interface.
My policy map inspects ICMP and i applied it to a service policy that was placed on the inside interface, i tested it and everything worked as it should. NAT worked and allowed the traffic back into the inside network, the outside router could not ping the outside ASA interface IP and any inside network addresses. So everything is fine there. The same was done for the outside interface and the same behaviour was present.
My main question is then, how does the traffic get back through when the service policy is placed on the inside interface, when the class map matches ICMP then the inspection is applied on the policy map and the service policy is assigned to the inside interface, so the source IP would be the private IP of the host on the inside network, it then goes through NAT where NAT changes the source IP to the outside IP, when the return traffic comes back then it comes back with a destination address of the ASA outside IP but the dynamic ACL return traffic is for the destination address of the private IP, so how does it get through when there is no ACL for the traffic coming into the outside interface?
This is different from assigning the service policy on the outside where the dynamic ACL is the outside IP as the destination which can then be allowed and then the NAT binding table can direct traffic along it’s merry way.
First of all, we apologise for the late response. This is an excellent question, and thank you for sharing it with us.
It all has to do with order of operations. The standard document that is usually provided for order of operations regarding NAT is the following:
Based on this, the inside to outside and outside to inside orders are different. This means that when the traffic returns, it first goes through a NAT outside to inside translation and then goes through the policy routing, in which your policy maps are included. So the policy routing will take place after the NAT translation. So to answer this question:
… is that first the NAT translation occurs, then the policy routing which is based on the ACL which contains the internal IP address, that is, the translated IP address of the host in question.
“To ensure traffic from the OUTSIDE is able to reach the servers in the DMZ, we will use an access-list that only permits traffic to the IP address (and port numbers) that the servers in the DMZ use.”
Where you have to configure the ACL ? i mean, if i want to permit a specific public ip addr to have connectivity to a mail server behind the firewall, i could configure an ACL to permit this public ip addr, but where the ACL has to be located ?
Keep in mind that traffic from a lower security level to a higher security level is denied by default. In general, a DMZ will have a higher security level than the outside interface, so in order to go against this default behaviour, an access list which will permit such traffic must be applied.
Now the ACL itself is defined globally using the well-known access list syntax. Once it is defined, you must then apply it to an interface specifying an in our outbound direction. You can find out more information about how to apply access lists on an ASA at the following lesson:
For your specific question, you must create an ACL that permits the destination IP address and port of the server in the DMZ and apply it to the outside interface on an inbound direction. In the above lesson, Rene describes just such an example in the section titled Permit Traffic to DMZ.
Thanks for this tutorial but i think you should have discussed about types of firewall ?
As per my point of view the stuff of R&S ( CCNA to CCIE ) you created and sharing globally that’s great which help me a lot and and i think others as well so I want to give my view that you must add Security part ( CCNA to CCIE) written and Lab both in your curriculam.
BTW thanks a lot again you and Laz too for creating this channel and well support for clearing doubts.
I am working on some firewall/data center labs and came across a similar design and trying to find the best way to approach. fwplacement #1 image is what I have on my lab and i am trying to force the traffic to my firewall before going to the HSRP Cisco 1841s. I have two 3750 L3 switches that have 4 Vlans on them. I can point them to the firewall but I am kinda lost after that. I am used to having the firewall on the outside.
Would this be the equivalent of hairpinning ? 2) Not changing the configuration, would I have to do a static route and leave no default routing.
There is no single best answer, but there are specific principles that will determine the best arrangement for a particular topology.
Remember that a firewall introduces another location where routing takes place. This affects your topology, as well as introduces a single point of failure into the network, if you ave only one device. So if you have an HSRP arrangement and you want to maintain that redundancy, introducing a high availability firewall implementation is necessary.
Next you have to determine if “firewall on a stick” is the way to go for you. In the options described in the diagrams, this is the topology that is represented. Typically, you will have three VLANs hanging off of the ASA (inside, DMZ, outside). If you use firewall on a stick, a single physical link will be used to carry traffic for all three VLANs. Alternatively, you can use three physical connections to your switches, but that uses up valuable physical ports on your switches. For this reason, you may want to place them physically inline, between the 3750s and the 1921s shown in the first diagram. That in turn, seems to defeat the purpose of the HSRP configuration, so you may consider replacing the 1921s with an Active/Active firewall arrangement will perform the same type of redundancy as the HSRP implementation. In this way, you remove additional points of failure.
If I was building something from scratch, I’d connect the firewalls directly to the service provider in an Active/Active arrangement to replace the HSRP routers. I’d connect both firewalls to both 3750 switches with two physical connections each (DMZ and inside network) and let the 3750s to the rest of the routing for the rest of the internal VLANs.
I would only use the firewall on a stick topology in an already established network for which I want to change the least amount of things.
I know I haven’t definitively answered the question, simply because there is no definitive answer. But I hope it gives you more insight in order to decide on how to proceed.
If your topology is similar to the first diagram, then you would have to configure firewall on a stick for each ASA, and then have all your outgoing traffic (from both DMZ and inside networks) use the firewall as the default gateway (or at least route the traffic there) , and have the firewall route traffic to the HSRP virtual address.
This has been very helpful and thank you for your candid response. You brought up some points to consider and overall helped me to understand this method as opposed to the traditional one. I will work on your recommendations and then see how it goes. Thanks again for your response, much appreciated!
It is a great video. Eventhough I know some of the concepts, you have tied, routers firewall, firewall server and DMZ, and explained the functionality very well. I understand the individual modules.
Keep up the great work!
I’m not quite sure what you are asking. MD5, SHA1, and SHA256 are encryption algorithms used in a variety of ASA features including VPNs, digital certificates, and the NTP protocol, to name a few. What in particular were you looking for?
After doing some research, I have found that the Cisco ASA supports such IoC indicators when coupled with FirePOWER. You can take a look at this Cisco documentation that specifies more about how to configure it for an ASA.
This Cisco blog also talks about how it can be implemented on both network and endpoint devices:
However, it seems that without FirePOWER, implementing these IoC indicators on an ASA is not possible.
I hope this gives you some more information about what you need. (Also, it seems that your zip file attachment is empty). If you need more information, please clarify your question so that we can respond to them specifically.