topic DMZ static nat! in Network Security

DMZ static nat!

Azubuike Obiora — Tue, 12 Mar 2019 01:57:31 GMT

Hi Experts,

I believe this everyone is doing OK and getting along with your are doing? I have this funny scenario that happened on ASA 8.4 I configured recently for DMZ static nat. See the topology attached.

I did configure the inside with a PAT

object network INSIDE

subnet 192.168.200.0 255.255.255.0

nat (inside,outside) dynamic interface

That is working perfectly for inside to outside, So i have this server on the dmz, some edge mail server for the client that is meant for the outside world to reach. Sure enough I was happy that with the ASA 8.4 software that doing DMZ static nat I don't have to do with ACL to allow access anymore I mean I thought that has been depricated on the 8.3 and higher release.

I went on configuring the DMZ static nat like this

object network DMZ_MAILEDGE_SERVER

host 172.16.1.2

object network DMZ_GLOBAL

host 1.1.1.2

object network DMZ_MAILEDGE_SERVER

nat (dmz,any) static DMZ_GLOBAL

I was happy that finally i get to feel what the new dmz config on 8.4 should feel like.....I tried pinging my dmz server from outside, no joys at all. Did all i could to do even had to cross check the internet for config samples, everything looked good. Still no joys.

Then i though of creating an access list to permit ip from the OUTSIDE interface to the DMZ, like so,

access-list outside_access_in extended permit ip any object DMZ_MAILEDGE_SERVER

Then did my pings started going through for me to reach the server.

I don't know it feels all weird to me, since i was expecting configs 1 and 2 to get things going for me on software 8.4 not until i had to add config 3.

Please someone should tell me I am getting it all wrong and let me know what i did wrongly!

Thanks

Teddy

*********************************************************************************************************************************************************************************

OK i know the first part of the situation is solved and I'm grateful to Jouni who elaborated me on it. But I have yet another pending situation that I could use a help here and really wouldn't mind been told this is where i got it all wrong.

So finally I could reach the Server on the DMZ from outside via the static nat. Yay!!! But I have some services that needs to be reached on the mailserver on the DMZ side of the network.

Services like:

dns 53, 193

smtp 25

My question is, do i place the access list to permit these service from outside to dmz like this below ?

access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix

access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain

access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp

OR THIS

access-list outside_access_dmz extended permit udp any eq dnsix object DMZ_MAILEDGE_SERVER eq dnsix

access-list outside_access_dmz extended permit udp any eq domain object DMZ_MAILEDGE_SERVER eq domain

access-list outside_access_dmz extended permit tcp any eq smtp object DMZ_MAILEDGE_SERVER eq smtp

Which direction would be more appropriate to go via?

Also from the front end mail server, If i try to ping the internet say a domain name like www.yahoo.com, it would only resolve the name but the ping are not going thru.

Thanks for your advice in advance.

I say this not to undermine anybody's help, Jouni please if you see this I would also appreciate your contribution too!

Cheers!

Teddy

DMZ static nat!

Jouni Forss — Thu, 13 Jun 2013 14:35:58 GMT

Hi,

The NAT configurations seem just fine but I would configure them the Static NAT a bit differently (doesnt mean you have to though)

What I would do is simply state the public IP address in the NAT configuration rather than configure "object network" for the public IP address too

Your configuration is

object network DMZ_MAILEDGE_SERVER

host 172.16.1.2

object network DMZ_GLOBAL

host 1.1.1.2

object network DMZ_MAILEDGE_SERVER

nat (dmz,any) static DMZ_GLOBAL

My version would be

object network DMZ_MAILEDGE_SERVER

host 172.16.1.2

nat (dmz,any) static 1.1.1.2

The simple reason for me would be keeping the "object network" amount at minimum and the fact that we dont need to reference the public IP address in any ACL configurations usually.

What you originally saw happening with the configurations 1 and 2 configured is to be expected. You will always need the configuration 3 which is the ACL to allow the traffic from the "outside".

If the "outside" interface doesnt have any ACL configured then it relies on the "security-level" alone which should be "0". This usually means that no traffic can enter from "outside" to any other interface on the ASA because all the other interfaces are above "security-level 0" and traffic is only allowed from HIGHER -> LOWER when there is NO ACLs. So the natural step to allow this traffic is to configure ACL with the appropriate rules and attach it to the "outside" interface.

Hope this helps

Please remember to mark a reply as the correct answer if it has answered your question.

Naturally ask more if your question wasnt answered.

- Jouni

DMZ static nat!

Azubuike Obiora — Thu, 13 Jun 2013 15:25:58 GMT

Hello Jouni,

Thanks for your explanation! at one moment I thought I had gone loco, cos I had the thoughts that ACLs have been depricated finally on the ASA doing dmz nats. I'm fully aware of all you explained in your reply.

Do have yourself a great day and you keep being the blessing that you are to everyone.

Teddy