topic NAT 1:1 and access to translated host using global IP address in Network Security

NAT 1:1 and access to translated host using global IP address

JohnRambo87365 — Wed, 08 Apr 2020 11:33:33 GMT

Hi,

I have an ASA 5515, config looks like this:

All inside IP'a are translated to outside. I'm able to ping everything in the Internet and also the host located in DMZ 111.111.111.11 but I'm unable to ping host translated in DMZ (111.111.111.111)

Nat statement looks like this:

object network obj-10.10.10.10
 nat (any,any) static 111.111.111.111

I have tried to change it to DMZ, etc but with no luck.

Re: NAT 1:1 and access to translated host using global IP address

Cristian Matei — Wed, 08 Apr 2020 13:21:29 GMT

Hi,

1. Can you confirm that the object of "obj-10.10.10.10" contains a host entry of 10.10.10.10? From where do you want to access 10.10.10.10 as 111.111.111.111, from outside or from DMZ?

2. Optimize your NAT config, as (this makes 10.10.10.10 reachable via 111.111.111.111 from the DMZ, but nor from the outside):

nat (inside,dmz) static 111.111.111.111

Regards,

Cristian Matei.

Re: NAT 1:1 and access to translated host using global IP address

JohnRambo87365 — Thu, 09 Apr 2020 07:20:38 GMT

Yes, the entry obj-10.10.10.10 contains a host entry of 10.10.10.10.

What i would like to do: host 10.10.10.15 to be able reach 111.111.111.111, not 10.10.10.10

Re: NAT 1:1 and access to translated host using global IP address

Cristian Matei — Thu, 09 Apr 2020 08:15:41 GMT

Hi,

Clearly the recommended way would be to place 10.10.10.10 in the DMZ VLAN. As long as 10.10.10.10 and 10.10.10.15 are within same VLAN, even if you fall them into not speaking directly by doing NAT, if they initiate a direct session it will work. To make wha you want happen, you would have to make both 10.10.10.10 and 10.10.10.15 be visible as something else on the inside, and traffic will be hair-pinned by the FW. This is clearly not recommended as you make the configuration complex in the end hosts could still talk directly. Ensure that except the below config, if there is ingress ACL applied on the inside interface, to global ACL, the traffic between 111.111.111.111 and 111.111.111.115 is allowed:

object network FIRST

host 10.10.10.10

nat (inside,inside) static 111.111.111.111

object network SECOND

host 10.10.10.15

nat (inside,inside) static 111.111.111.115

!
same-security-traffic permit intra-interface

Regards,
Cristian Matei.

Re: NAT 1:1 and access to translated host using global IP address

JohnRambo87365 — Thu, 09 Apr 2020 08:27:12 GMT

I know that best option will be to put 10.10.10.10 in DMZ vlan, but then traffic will flow throught FW. I have couple servers that has been done this way, cos in the past I had only 300 Mbps FW.

I will try what u have recomended.

Re: NAT 1:1 and access to translated host using global IP address

Cristian Matei — Thu, 09 Apr 2020 17:01:37 GMT

Hi,

If you want to NAT a host, traffic has to go through the NATing device, which in your case is the firewall. If you want traffic between 10.10.10.10 and 10.10.10.15 to bypass the firewall, just leave it as it is, they can speak directly without NAT.

Regards,

Cristian Matei.