topic I am running 9.1.2. I guess in Network Security

Cisco ASA problem with NAT

Jiri Chvatal — Tue, 12 Mar 2019 04:55:08 GMT

Hello,

I would like to accomplish following task :

I have some DMZ zone on ASA. It has access only to internet, not to inside network. This is network used for visitors.

I would like to perform nat from inside subnet to DMZ and then from DMZ to outside. Why?

We have two facilities, only one ASA as GW. I cannot directly connect second facility to ASA.

So let's say I need for example network 172.16.20.0 /24 to be nated to DMZ interface. And DMZ interface has nat (DMZ,outside) source dynamic DMZ-LAN interface

Problem I have is, ASA cannot do NAT from inside network to DMZ. Inside to outside works just fine. See the config part below :

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.21.201 255.255.255.0

interface GigabitEthernet0/3
nameif DMZ
security-level 50
ip address 192.168.30.1 255.255.255.0

nat (inside,DMZ) after-auto source dynamic WIFI_NAT (172.16.10.0/24) interface - this is command ASA ignores

nat (DMZ,outside) after-auto source dynamic DMZ interface - this command works fine (dmz network can access internet)

nat (inside,outside) after-auto source dynamic (172.16.1.0/24) interface - this command works fine, subnet 172.16.1.0/24 can access internet.

Access lists are set for test purpose all to permit ip any any.

Any ideas, why xlate from inside to DMZ is not working?

Thank you.

What code are you running?

david-swope — Mon, 13 Oct 2014 19:51:50 GMT

What code are you running? Why not use object NAT?

object network Inside

subnet 192.168.21.0 255.255.255.0

nat (inside,dmz) dynamic interface

So anyone coming into the DMZ from the Inside will NAT to 192.168.30.1

I am running 9.1.2. I guess

Jiri Chvatal — Tue, 14 Oct 2014 10:24:59 GMT

I am running 9.1.2.

I guess object nat is almost the same as command "nat (inside,DMZ) source dynamic 192.168.21.0/24 interface, isn't it?

And, I tried that, does not work 🙂

Looks like DMZ interface didn't know where to forward the traffic, so no NAT is performed. I tried to remove default route on outside (to internet) and then "nat (inside,outside)" was not working as well.

But I can't add another route for inteface DMZ...And DMZ should know the "default route" by command "nat (DMZ,outside) source dynamic DMZ interface.

Thx anyway for you suggestion.

edit : I managed to inside network be translated finally.

nat (inside,dmz) source dynamic pat-pool PAT-POOL interface destination static ANY any; PAT-POOL is ip address from DMZ subnet

UDP PAT from inside:10.0.0.2/61028 to dmz:192.168.200.222/61028 flags ri idle 0:00:10 timeout 0:00:30
UDP PAT from inside:10.0.0.2/61060 to dmz:192.168.200.222/61060 flags ri idle 0:00:24 timeout 0:00:30
UDP PAT from inside:10.0.0.2/55226 to dmz:192.168.200.222/55226 flags ri idle 0:00:24 timeout 0:00:30
ICMP PAT from inside:10.0.0.2/1 to dmz:192.168.200.222/1 flags ri idle 0:00:01 timeout 0:00:30
ciscoasa(config)#

But but even if I have "nat (dmz,outside) source dynamic dmz interface" command, 192.168.200.222 cannot reach internet 😕