Best practice wise - should I let the router or the ASA handle NAT
(Overloading)?
In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).
In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.
I can ping the 172.16.2.2
interface but not 172.16.2.1
from a pc
connected to one of the layer 2 switches (proves intervlan routing is
working -- i have a 172.20.100.8
address on the PC). Why can't I ping
172.16.2.1
from a PC but I can from the Layer 3 Switch?
The ASA 172.16.2.2
is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27
. The echo-reply is actually being forwarded to the Router 172.16.1.1
via the default route.
And most of all -- Why can't I get out to the Internet from the Layer 3 switch?
Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.
Your ASA configuration:
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?
You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.
ASA static routing example:
route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2
Further reading: ASA static routing
Your Cisco Router's configuration:
ip route 0.0.0.0 0.0.0.0 200.200.200.200
Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200
?
Router static routing example:
ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10
Further reading: ISR static routing
I cannot get an ip address right now from the DHCP server (Windows).
Any insight into why?
Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.
From what I can gather from your topology and configuration, the subnets 172.19.3.0/24
, 172.19.12.0/28
and 172.20.100.0/27
should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.
You can remove the ip helper-address
syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.
interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27
Best Answer
First, there is no dynamic ACL going on here, and stateful inspection is not a factor, either. (But, read the last paragraph for an explanation of how FTP is special.) The firewall will perform stateful inspection regardless of the
inspect
commands you have configured. Thus, return traffic will always make it back through the firewall because of this stateful behavior, which you can see in the connection table by doing ashow conn
.The purpose of an
inspect
statement is to invoke higher-OSI-layer examination. An example would be that the ESMTP inspection will drop connections where the SMTP client attempts to negotiate TLS. As you can see, that would be layer-7 examination to see that some payload did or did not contain something. That's whatinspect
statements do.In contrast to the
inspect
statement, stateful inspection is only letting return traffic of already-permitted flows to come back through the firewall on the exact same ports on which they were initiated. That's layer 4 only.Now, getting to the misconfig like the one you posted, my memory is a bit foggy from way-back when I read the documentation on this type of thing. If I remember correctly, the ASA will only process one
inspect
statement for any given flow of traffic. So, since theclass ftp
occurs first in thepolicy-map test
, the traffic will be inspected by the FTP inspection and not the HTTP inspection.Now, because of the way FTP was designed (multiple TCP streams, dynamic ports), the ASA's FTP inspection has an extra special behavior. It will dig into the payload of the packets on TCP port 21 to look for operations that will open the FTP data channel (which will use TCP port 20). When these operations occur, the FTP payload will contain the TCP destination port number (some random number above 1024) that shall be used, and the ASA will quickly respond by adding a temporary ACL for the SYN packet of the data channel to pass through the firewall. Once the SYN gets through the firewall, stateful inspection kicks in and grants the return traffic to be permitted automatically. To reiterate, letting the SYN packet through is the function of the
inspect
statement, where letting the return traffic through is a function of stateful inspection.One final comment: you can actually permit FTP through your ASA firewall without using the
inspect ftp
statement (despite this port 20 behavior) by simply building an ACL that allows traffic between the client and the server on port 21, and between the client and server in both direction on TCP port 20. You would effectively be accomplishing what theinspect
statement is intended to do. But that would be horrendously frowned upon by security folks. In contrast to that, you can not run your firewall without stateful inspection because (1) there is no way to turn it off that I know of, and (2) you would be removing all the security from inside your firewall.