topic Hi, in Network Security

nat rules help from outside to dmz with both security level 0

Sheraz.Salim — Tue, 12 Mar 2019 07:49:10 GMT

DMZ

Security level 0

Outside

security leve 0

object network DMZ
host 192.168.50.10
object network DMZ
nat (DMZ,outside) static 192.168.192.3

object network remote-hostin
host 1.1.1.1
object network remote-hostin
nat (outside,dmz) static 192.168.192.4

access-list Remote-hostin extended permit ip object remote-hostin object DMZ
access-group Remote-hostin in interface DMZ

kindly could some one advise as this rules are not working. where i am making the mistake?

Hi,

Aditya Ganjoo — Tue, 31 May 2016 12:47:28 GMT

Hi,

Have you enabled this command as both the interfaces are on the same security level ?

same-security-traffic permit inter-interface

Regards,

Aditya

Please rate helpful posts and mark correct answers.

hello Aditya,

Sheraz.Salim — Tue, 31 May 2016 12:57:22 GMT

hello Aditya,

i gave the command you mentined but the packet tracere still showing acl drop

packet-tracer input dmZ rawip 192.168.50.10 1 1.1.1.1 $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc6725f8, priority=11, domain=permit, deny=true
        hits=1, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Aditya Ganjoo — Tue, 31 May 2016 17:27:16 GMT

Hi,

Could you tell me why are we using two different NAT statements ?

What is your objective ? could you please elaborate on the requirement ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

192.168.192.0/27 is a private

Sheraz.Salim — Wed, 01 Jun 2016 15:49:18 GMT

192.168.192.0/27 is a private WAN network for the corprate network. we share this network with other supplier that why we are using another nat (RFC) address.

server 1.1.1.1 is a remote and running FTP, SNMP, TFTP services. 192.168.50.0 is assign to DMZ zone.

objective is when remote server comes in DMZ it get translated into 192.168.192.0 address.