topic No, that won't work. The in Network Security

Cisco ASA 9.1, NAT question

mrthejaswi — Tue, 12 Mar 2019 06:28:42 GMT

Hello All,

I have a question regarding NATs on an ASA version 9.1.

We have a several servers on the DMZ exposed to the Internet via Static NATs to various ip in the address range X.Y.Z.0/24. We want the users on the INSIDE to access the DMZ server using the external IP address, i.e. X.Y.Z.0/24. Following a previous thread I know this can be configured for every DMZ machine, but the question I have is can we configure this similar to the way I have it below, please let me know,

object network DMZ-ANY

subnet 10.10.10.0 255.255.255.0

nat (DMZ,INSIDE) static X.Y.Z.0 255.255.255.0

There are already several NATs like this:

object network Machine-1-NAT

host 10.10.10.29

nat (DMZ,OUTSIDE) static X.Y.Z.41 255.255.255.255

Any help is appreciated,

Regards,

No, that won't work. The

Karsten Iwen — Fri, 21 Aug 2015 21:31:00 GMT

No, that won't work. The logic of a network-NAT-statement (with a mask like your 255.255.255.0) is that only the part get's NATed where the mask has a "1" (binary) in the mask.

The host 10.10.10.27 would be reachable with the public IP X.Y.Z.27.

Are you willing to assign

rizwanr74 — Sat, 22 Aug 2015 03:50:13 GMT

Are you willing to assign dual IP on your dmz host, real-ip and public IP?

If you are willing to do that, then it is possible.

Thanks Karsten, I was

mrthejaswi — Mon, 24 Aug 2015 14:10:22 GMT

Thanks Karsten, I was thinking this would be the case but was not a 100% sure.

Thanks Rizwan, the DMZ host

mrthejaswi — Mon, 24 Aug 2015 14:31:36 GMT

Thanks Rizwan, the DMZ host is only assigned the private IP address. And I don't have access to the host to assign multiple IPs.

Its only NAT-ed at the firewall.

If you were to nat to

rizwanr74 — Mon, 24 Aug 2015 14:46:01 GMT

If you were to nat to different IP-address, then natually a host at receiving end should have the given IP address, otherwise it make no sense to nat to a different IP address, when there is no host with such IP-address.

Hope that answers.

thanks

Question: Why would you like

Andre Neethling — Tue, 25 Aug 2015 05:01:42 GMT

Question: Why would you like to NAT the DMZ Private range to the INSIDE private range? Without NAT you can just route the traffic. This would be better for visibility between inside and DMZ networks. And the config is so much simpler.