topic Hi Jon, in Network Security

static NAT config from Destination to source

mahesh18 — Tue, 12 Mar 2019 07:31:31 GMT

Hi Everyone,

If traffic flow is from

Source Interface is DMZ to Destination interface is inside we create ACL to allow the traffic.

Source IP 192.168.50.x

Destination IP is 10.50.50.x

But i saw at our clients ASA that i need below NAT to make it work

static (inside,DMZ) 10.50.50.1 10.50.50.1 netmask 255.255.255.255

Need to know is this normally done in networks?

Regards

MAhesh

Mahesh

Jon Marshall — Mon, 21 Mar 2016 20:31:11 GMT

Mahesh

Yes it is with NAT in use because for traffic to flow from a lower to higher security level you need -

1) an acl entry as you say

2) a static NAT statement to translate the traffic.

Your statement simply doesn't translate the IP but it is still needed.

Jon

Hi Jon,

mahesh18 — Mon, 21 Mar 2016 20:44:25 GMT

Hi Jon,

Thanks for reply.

So if traffic flow is from low to high security interface then i will need 2 NAT statements?

One from source to destination and other from destination to source?

Regards

MAhesh

No, you only need that NAT

Jon Marshall — Mon, 21 Mar 2016 20:47:41 GMT

No, you only need that NAT statement because a static NAT statement works both ways

So if the traffic is sent from the inside to the DMZ the source IP is changed and if traffic is sent from the DMZ to the inside the destination IP is changed.

Jon

So to make it work i can also

mahesh18 — Mon, 21 Mar 2016 20:59:59 GMT

So to make it work i can also use NAT statement from DMZ to inside right?

Instead of using NAT statement from Inside to DMZ?

Regards

MAhesh

No the NAT has to be that way

Jon Marshall — Mon, 21 Mar 2016 21:10:30 GMT

No the NAT has to be that way round.

Think of it like a static NAT statement you would use when you have a server in a DMZ and you want to give internet access to it.

You don't NAT the internet IPs coming in, you simply NAT the DMZ server IP to a public IP.

This is the same principle here it's just that you are allowing access from the DMZ to the inside.

Jon

But when i run the packet

mahesh18 — Mon, 21 Mar 2016 21:19:09 GMT

But when i run the packet tracer from source as DMZ to inside it hit 2 NAT rules?

one is static NAT which i configured what is other NAT rule then?

Regards

MAhesh

Don't know.

Jon Marshall — Mon, 21 Mar 2016 21:23:30 GMT

Don't know.

Can you post the packet tracer output ?

Jon

Here is output

mahesh18 — Mon, 21 Mar 2016 21:39:24 GMT

Here is output

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,DMZ) 10.50.50.1 10.50.50.1 netmask 255.255.255.255
nat-control
match ip inside host 10.50.50.1 DMZ any
static translation to 10.50.50.1
translate_hits = 0, untranslate_hits = 9
Additional Information:
NAT divert to egress interface inside
Untranslate 10.50.50.1/0 to 10.50.50.1/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_acl in interface DMZ
access-list DMZ_acl extended permit tcp host 192.168.50.1 any eq https log
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,Corp) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
nat-control
match ip DMZ 192.168.50.0 255.255.255.0 Corp any
static translation to 192.168.50.0
translate_hits = 7933173, untranslate_hits = 23054
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,DMZ) 10.50.50.1 10.50.50.1 netmask 255.255.255.255
nat-control
match ip inside host 10.50.50.1 DMZ any
static translation to 10.50.50.1
translate_hits = 0, untranslate_hits = 9
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) 10.50.50.1 10.50.50.1 netmask 255.255.255.255
nat-control
match ip inside host 10.50.50.1 DMZ any
static translation to 10.50.50.1
translate_hits = 0, untranslate_hits = 9
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3804212927, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Regards

MAhesh

Mahesh

Jon Marshall — Mon, 21 Mar 2016 21:48:26 GMT

Mahesh

You wouldn't happen to have the firewall configuration would you ?

Not sure what the (DMZ,corp) NAT is doing.

I did think maybe the DMZ source IPs were being translated to something else but that doesn't seem to be the case.

Jon

let me know what you wanna

mahesh18 — Mon, 21 Mar 2016 21:55:59 GMT

let me know what you wanna see?

i can post it

Hi Mahesh ,

MANI .P — Tue, 22 Mar 2016 04:43:51 GMT

Hi Mahesh ,

By default static NAT is bidirectional ( Traffic can initiate from inside either initiate from outside until you disable the bidirectional ) .

BR ,

Mani

Mahesh

Jon Marshall — Tue, 22 Mar 2016 15:56:01 GMT

Mahesh

Sorry, I missed your reply.

If possible can you post the NAT configuration from the firewall.

Jon

will try to do as this

mahesh18 — Wed, 23 Mar 2016 03:42:36 GMT

will try to do as this firewall has lot of NAT config.

Regards

Mahesh