Novice question on ASA 5505

Hey CCSPs,

I have my ASA5505 at home and I am going to put a cisco border router ahead of it and then create my DMZ SL-50 and then SL-100 for internal LAN and of course SL-0 outside.

I am not sure about this but I might have it. Okay.
A security level 0 cannot breach a security level 50 unless a static NAT mapping is setup right? and when you do this does the firewall still
do it filtering?

And SL-50 can talk to SL-100 because communication can go higher but not lower with out setting up static mappings?

I am just concerned as to how do I have the firewalll do it firewall thing(lack of better terms) do I have to setup using my ASDM some kind of policy filtering? or does it do it by default with some kind of stateful inspection?

I just need to put the pieces together..thanks for your help.

Find more posts tagged with

Comments

shednik

Higher security levels are by default allowed to pass traffic to a lower level.

IE inside - 100 outside - 0

So traffic originating from the inside going outside is allowed by default. You can allow traffic the other way but must explicitly define it with FW rules and NAT if needed. ASAs depending on the code level sometimes will need everything to have a NAT entry even for NoNATs. I hope that made sense I'm kinda rushed so if you need some more help I'll check back later.

Ahriakin

Security levels, with no other measures in place, allow stateful replies to traffic that flows from a higher to a lower security interface. This system is really aimed at allowing a PIX/ASA to do a decent job out of the box with just a basic interface config and no ACLs. Once you do place ACLs on the interfaces then Security levels have absolutely no bearing anymore. Since you will want to do some egress filtering on the Inside/DMZs at the very least then you will be placing ACLs and the sec levels as I said become moot.
Whether NAT is prohibitive or not depends on what you have NAT-CONTROL set to (as simple as "no nat-control" to turn it off), at which point you don't need an Xlate of any kind for traffic flow, with it turned on you do (even if it's to set exemptions). Bear in mind though that once you enable NAT'ing of any kind on an interface every connection through it will need NAT - i.e. say you turn off nat-control globally, but enable an Xlate from INSIDE to OUTSIDE for the usual internet stuff, then you think you won't have a problem from INSIDE to the DMZ since you are using private subnets on both, it won't work as the existence of any NAT on the INSIDE interface now overrides the global 'no nat-control' config for anything to/from that interface so you'd need to do a NAT exemption (NAT 0 with an ACL being best) anyway for the INSIDE-DMZ traffic.

itdaddy

Ahriakin

hey thanks. what I am doing is running a 831 soho as my NAT router (border router) and then behind that 831 is a ASA5505 where I want
it to do its thing. My 831 soho will do nat and have a 6t4 tunnel at the outside port. I am trying to setup 6to4 tunneling with the 831 at the border and the asa 5505 as another layer of security but I am not sure
what it really does to be honest beside nat? I mean I have ideas like
prevent DOS attacks etc..I think but I dont really know what else it does.
I have right now the ASA as the border router and then a switch to my LAN. I am playing with ipv6 and want my network secure and dont want to screw things up. any suggestions? or should I just let the out of box deal with it as long as I set up the security levels 0 being outside of asa and dmz being say 50 and inside being 100..what you think about this? thanks

bwbecraft

itdaddy, what level license are you working with on the ASA?

itdaddy

you mean the 10 lan nodes on the inside? right?