topic NAT B/W inside to DMZ in Network Security

NAT B/W inside to DMZ

aslam.bajwa — Tue, 12 Mar 2019 03:53:40 GMT

Hello ,

i have ASA 8.6 i need to configure nating between inside and DMZ . network details is as under :

network behind inside interface

10.16.8.0 / 24

10.16.10.0/24

network behind DMZ interface

10.16.7.0/24

10.16.6.0/24

what configuration i need on ASA so inside and outside can communicate with eachother please advice.

NAT B/W inside to DMZ

jj27 — Wed, 05 Mar 2014 00:59:20 GMT

object-group network Inside_Networks

network-object 10.16.8.0 255.255.255.0

network-object 10.16.10.0 255.255.255.0

object-group network DMZ_Networks

network-object 10.16.7.0 255.255.255.0

network-object 10.16.6.0 255.255.255.0

I assume your interfaces are named "inside" and "DMZ"

nat (inside,dmz) source static Inside_Networks Inside_Networks destination static DMZ_Networks DMZ_Networks

NAT B/W inside to DMZ

aslam.bajwa — Wed, 05 Mar 2014 05:58:46 GMT

Many Thanks for your reply , i will check today and update you .

can you please tell me aboute routes also if required , so that i will be able to ping .from both side

NAT B/W inside to DMZ

Vibhor Amrodia — Wed, 05 Mar 2014 13:42:17 GMT

Hi Aslam,

To be honest , I see that you have these Subnets behind the ASA Interfaces. You are not translation the traffic between the Inside and DMZ interface and hence , I don't think you need any NAT statements on the ASA device to communicate between these Two interfaces(As nat-control is disabled by default on the ASA 8.3+).

Still , you would need Static routes for every L3 network behind the ASA interface.

Thanks and Regards,

Vibhor

NAT B/W inside to DMZ

aslam.bajwa — Wed, 05 Mar 2014 14:05:35 GMT

Hello Vibhor ,

i have done the nating , its working fine as i can ping fron ASA to network behind the inside and DMZ

but i can not ping from DMZ switch to ASA inside and from inside Switch to asa DMZ interfaces .

there is routing issues on both DMZ and inside swith . can yo advise

Re: NAT B/W inside to DMZ

Vibhor Amrodia — Wed, 05 Mar 2014 14:35:55 GMT

Hi Aslam,

To be clear , we cannot ping the DMZ interface IP on the ASA from Any device behind the Inside interface and vice versa by architecture.

To ping from the devices behind the DMZ interface to the Inside devices , you would also need to allow the traffic using ACL on the DMZ interface.

Please send me the Packet-tracer for the traffic which is not working if possible. Also , run this command on the ASA device:-

fixup protocol icmp

Thanks and Regards,

Vibhor

NAT B/W inside to DMZ

aslam.bajwa — Wed, 05 Mar 2014 14:57:55 GMT

Hi Vibhor ,

thanks for your support , i am new in security so i am having lots issues . i tried alot to run Packet Tracer commnad but still i am unable to run it correctly , let see if i have to check nat or ping traffic issue what is the correct packet Tracer command santax .

Secondly i have cisco Wireless ip phones on inside network and my callmanager is behind the DMZ what exacltly i need to do to register this ip phone with callmanage

Re: NAT B/W inside to DMZ

Vibhor Amrodia — Thu, 06 Mar 2014 15:37:24 GMT

Hi Aslam,

Sorry for a late reply. As per your 1st query , you can check this Doc for more information on Packet Tracer on ASA:-

https://supportforums.cisco.com/docs/DOC-5796

You can also share the configuration and I can help you out.

As per your 2nd Query , If you want the IP phones to coimmunicate with the Call Manager on the DMZ , I would say the NAT should be there for Communication , Inspection and Access-rules.

Thanks and Regards,

Vibhor