topic NAT Configuration 1 in Network Security

NAT Configuration 1

Navaz Wattoo — Tue, 12 Mar 2019 01:54:50 GMT

i need the NAT Configuration from DMZ to Inside

My IP,s are

DMZ Interface 10.1.1.1/24

Webserver in DMZ 10.1.1.254

Inside interface 192.168.11.249

Thanks

Navaz

NAT Configuration 1

Jouni Forss — Sat, 08 Jun 2013 14:44:23 GMT

Hi,

You will have to be more clearer with the request.

How do you want to NAT from DMZ to inside? Do you want to configure NAT0 so that the addresses wont be NATed at all? Or do you want to NAT some DMZ address to another specific address towards inside?

- Jouni

NAT Configuration 1

Navaz Wattoo — Sun, 09 Jun 2013 10:14:12 GMT

Thanks a lot for reply

now ping time is more and i want to ping time of DB server (192.168.11.10 and 192.168.11.18) to Webserver (10.1.1.254) in DMZ decrease

Navaz

NAT Configuration 1

Jouni Forss — Sun, 09 Jun 2013 13:54:37 GMT

Hi,

You still didnt quite answer my question.

What kind of NAT configuration do you want? Do you want to remove any NAT between the "DMZ" and "inside" interfaces?

You could also share the configuration so we can take into account any existing configurations

- Jouni

NAT Configuration 1

Navaz Wattoo — Mon, 10 Jun 2013 04:28:49 GMT

ACTIVE# sh running-config

: Saved

ASA Version 8.2(5)

hostname ACTIVE

domain-name dhalahore.org

names

dns-guard

interface Ethernet0/0

description Inside to the Core Switches

duplex full

no nameif

no security-level

no ip address

interface Ethernet0/1

duplex full

no nameif

no security-level

no ip address

interface Ethernet0/2

description public Server - DMZ

duplex full

nameif DMZ

security-level 50

ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

interface Ethernet0/3

description outside to the internet via router

duplex full

nameif Outside

security-level 0

ip address 125.209.70.90 255.255.255.248 standby 125.209.70.91

interface Management0/0

description LAN/STATE Failover Interface

interface Redundant1

member-interface Ethernet0/0

member-interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250

ftp mode passive

clock timezone PST 5

dns domain-lookup DMZ

dns domain-lookup Outside

dns server-group DEFAULT-DNS

name-server 202.142.160.2

name-server 202.141.224.34

dns server-group DefaultDNS

domain-name dhalahore.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DMZ-BLOCKED-LAN-NETWORKS

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 172.16.30.0 255.255.255.0

network-object 172.16.40.0 255.255.255.0

access-list 102 extended permit icmp any any

access-list 102 extended permit ip any any

access-list 102 extended permit tcp any any eq www

access-list 102 extended permit tcp any host 125.209.70.90 eq www

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.25

5.255.0

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.2

55.255.248

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.25

5.255.0

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server

access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo

access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo

access-list DMZ-IN remark Block connections from DMZ to INSIDE networks

access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS

access-list DMZ-IN remark Allow all other traffic

access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any

access-list ICMP extended permit icmp any any

pager lines 24

logging asdm informational

mtu DMZ 1500

mtu Outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface FAILOVER Management0/0

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover key *****

failover link FAILOVER Management0/0

failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (DMZ) 1 10.1.1.0 255.255.255.0

nat (inside) 0 access-list no-nat

static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255

static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.25

static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0

access-group DMZ-IN in interface DMZ

access-group 102 in interface Outside

access-group no-nat in interface inside

route Outside 0.0.0.0 0.0.0.0 125.209.70.89 1

route inside 0.0.0.0 0.0.0.0 192.168.11.254 2

route inside 0.0.0.0 0.0.0.0 192.168.10.254 2

route inside 172.16.10.0 255.255.255.0 192.168.11.254 1

route inside 172.16.10.0 255.255.255.0 192.168.10.254 1

route inside 172.16.20.0 255.255.255.0 192.168.11.254 1

route inside 172.16.20.0 255.255.255.0 192.168.10.254 1

route inside 172.16.30.0 255.255.255.0 192.168.11.254 1

route inside 172.16.30.0 255.255.255.0 192.168.10.254 1

route inside 172.16.40.0 255.255.255.0 192.168.11.254 1

route inside 172.16.40.0 255.255.255.0 192.168.10.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.1.1.0 255.255.255.0 DMZ

http 192.168.11.249 255.255.255.255 inside

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.11.254 255.255.255.255 inside

telnet 192.168.10.254 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15

username cisco123 password ffIRPGpDSOJh9YLq encrypted

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

class-map ICMP-CMAP

match access-list ICMP

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class ICMP-CMAP

inspect icmp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:2ae5436abbb0241872fb7fe948e8cb57

: end

ACTIVE#

Navaz

NAT Configuration 1

Jouni Forss — Mon, 10 Jun 2013 06:16:36 GMT

Hi,

You seem to already have NAT0 configuration between "inside" and "DMZ". You also have ICMP Inspection enabled.

I am not quite sure what the problem currently is.

If the "DMZ" server isnt replying to the ICMP Echo I would suggest confirming that no local firewall on the server isnt blocking the ICMP. You could also test ICMP directly from the ASA to the "DMZ" server.

You could also confirm routing if you havent already.

- Jouni

NAT Configuration 1

Navaz Wattoo — Mon, 10 Jun 2013 07:03:30 GMT

Thanks for reply

when i ping DMZ server (10.1.1.254) and DB Server (192.168.11.18) it is perfect response time. But when i ping 10.1.1.254(Web server) from DB Server(192.168.11.254) It gives delay.

Navaz

NAT Configuration 1

Jouni Forss — Mon, 10 Jun 2013 07:10:06 GMT

Hi,

I would start looking through the path that the DB server 192.168.11.254 uses on the network towards the Web server. I would imagine though that there is not many places to check because the source hosts are both in the directly connected network with ASA.

You could check some switch ports.

I cant see why the ASA or any NAT configuration would be related to RTT from 2 different hosts. I mean if other works just fine and the other doesnt.

Do you have the ICMP output to share with us? You dont mention any values.

- Jouni

Re: NAT Configuration 1

Navaz Wattoo — Mon, 10 Jun 2013 07:26:54 GMT

i am sending you the diagram of my network and also mention the DB serve.

Navaz

Message was edited by: Navaz Wattoo