topic NAT Configuration in Network Security

NAT Configuration

Navaz Wattoo — Tue, 12 Mar 2019 01:51:31 GMT

i need the NAT Configuration from DMZ to Inside

My IP,s are

DMZ Interface 10.1.1.1/24

Webserver in DMZ 10.1.1.254

Inside interface 192.168.11.249

Thanks

NAT Configuration

Jouni Forss — Fri, 31 May 2013 07:18:31 GMT

Hi,

Can you specify the device model and software level on that device that you are using?

Naturally if you can share the current configuration it would also help

What exactly is your goal? You dont mention what kind of NAT you need to configure between these 2 interfaces.

Do you want to configure NAT so that the networks can access eachother with their original IP addresses?

- Jouni

Re: NAT Configuration

Navaz Wattoo — Fri, 31 May 2013 07:23:16 GMT

ASA Version 8.2(5)

hostname ACTIVE

domain-name test

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

interface Ethernet0/0

description Inside to the Core Switches

duplex full

no nameif

no security-level

no ip address

interface Ethernet0/1

duplex full

no nameif

no security-level

no ip address

interface Ethernet0/2

description public Server - DMZ

duplex full

nameif DMZ

security-level 50

ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

interface Ethernet0/3

description outside to the internet via router

duplex full

nameif Outside

security-level 0

ip address 125.209.70.90 255.255.255.248 standby 125.209.70.91

interface Management0/0

description LAN/STATE Failover Interface

management-only

interface Redundant1

member-interface Ethernet0/0

member-interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250

ftp mode passive

clock timezone PST 5

dns domain-lookup DMZ

dns domain-lookup Outside

dns server-group DEFAULT-DNS

name-server 202.142.160.2

name-server 202.141.224.34

dns server-group DefaultDNS

domain-name dhalahore.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 102 extended permit icmp any any

access-list 102 extended permit ip any any

access-list 102 extended permit tcp any any eq www

access-list 102 extended permit tcp any host 125.209.70.90 eq www

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.25

5.255.0

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.2

55.255.248

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.25

5.255.0

pager lines 24

logging asdm informational

mtu DMZ 1500

mtu Outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface FAILOVER Management0/0

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover key *****

failover link FAILOVER Management0/0

failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (DMZ) 1 10.1.1.0 255.255.255.0

nat (inside) 0 access-list no-nat

static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255

static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.25

static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0

access-group 102 out interface DMZ

access-group 102 in interface Outside

access-group no-nat in interface inside

route Outside 0.0.0.0 0.0.0.0 125.209.70.89 1

route inside 0.0.0.0 0.0.0.0 192.168.11.254 2

route inside 172.16.10.0 255.255.255.0 192.168.11.254 1

route inside 172.16.20.0 255.255.255.0 192.168.11.254 1

route inside 172.16.30.0 255.255.255.0 192.168.11.254 1

route inside 172.16.40.0 255.255.255.0 192.168.11.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.11.254 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username cisco password ZBZ8GNEdrJsjFvsR encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3b155d3e6de565df85cf05d25db9ea8e

: end

Yes can acees orignol ip

This the Current Configuration and thanks for replying

Message was edited by: rab nawaz

NAT Configuration

Jouni Forss — Fri, 31 May 2013 07:32:23 GMT

Hi,

I am kind of wondering why you are using this ACL on the "inside" interface

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.255.255.248

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0

access-group no-nat in interface inside

To me it seems you are NOT allowing any traffic from the "inside" to the Internet

But onto the matter with the "inside" to "DMZ"

You seem to have the NAT0 configured correctly

nat (inside) 0 access-list no-nat

What is exactly the traffic you are testing connections with? Some TCP connection perhaps? What is the source IP address of the connecting host and what is the destination IP address of the host you are trying to connect to?

If the traffic is ICMP then add the following

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

- Jouni

NAT Configuration

Navaz Wattoo — Fri, 31 May 2013 10:09:51 GMT

i wnat to communicate web server(ip address is 10.1.1.254) that is in DMZ with the another DB Server(ip address 192.168.11.18) that is connect with the switch cisco 3550. and asa inside(192.168.11.249) is connectd with the switch 3550.

NAT Configuration

Jouni Forss — Fri, 31 May 2013 10:15:59 GMT

Hi,

As I said, you already seem to have NAT0 configured so the connection should basically go through.

I dont however see a point for this NAT configuration

no static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0

You should be able to test your firewall rules with the below command if the connecting host is 192.168.11.18

packet-tracer input inside 192.168.11.18 12345 10.1.1.254

You should be able to test your firewall rules with the below command if the connecting host is 10.1.1.254

packet-tracer input DMZ 10.1.1.254 12345 192.168.11.18

Just replace the

with either of the options depending what kind of traffic you are testing
with the actual destination port number you are testing connections for

- Jouni

NAT Configuration

Navaz Wattoo — Fri, 31 May 2013 10:41:06 GMT

These are the outputs

------------------------------------------------

packet-tracer input inside 192.168.11.18 12345 10.1.1.254

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.1.0 255.255.255.0 DMZ

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group no-nat in interface inside

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.25

5.255.0

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat-control

match ip inside 192.168.11.0 255.255.255.0 DMZ 10.1.1.0 255.255.255.0

NAT exempt

translate_hits = 1, untranslate_hits = 0

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 0.0.0.0 0.0.0.0

nat-control

match ip inside any DMZ any

no translation group, implicit deny

policy_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 0.0.0.0 0.0.0.0

nat-control

match ip inside any DMZ any

no translation group, implicit deny

policy_hits = 0

Additional Information:

Phase: 8

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 102 out interface DMZ

access-list 102 extended permit ip any any

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255

nat-control

match tcp DMZ host 10.1.1.254 eq 80 Outside any

static translation to 125.209.70.90/80

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 523, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

-----------------------------------------------------------

packet-tracer input DMZ 10.1.1.254 12345 192.168.11.18

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.11.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

NAT Configuration

Jouni Forss — Fri, 31 May 2013 10:50:32 GMT

Hi,

But can you please clarify which host opens the connection that is not working at the moment?

Does DMZ open connection to inside

Or does inside open connection to DMZ

Your ACLs seem very wierd and certainly not how I would configure them.

To allow traffic from DMZ to inside you would need to attach an ACL to the DMZ interface in the direction "in" in the "access-group" command.

- Jouni

NAT Configuration

Navaz Wattoo — Fri, 31 May 2013 11:46:51 GMT

i need ping 10.1.1.254(web server) to DB server(192.168.11.18)

NAT Configuration

Navaz Wattoo — Fri, 31 May 2013 11:47:44 GMT

can i give u access through team viewer?

Re: NAT Configuration

Jouni Forss — Fri, 31 May 2013 12:12:35 GMT

Hi,

I think the problem is that you dont have an "in" direction ACL on the "DMZ" interface.

Since we are talking about a "DMZ" then I would imagine that you DONT want to allow all traffic to the "inside"

Therefore I would suggest the following configurations

no access-group 102 out interface DMZ

object-group network DMZ-BLOCKED-LAN-NETWORKS

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 172.16.30.0 255.255.255.0

network-object 172.16.40.0 255.255.255.0

network-object 192.168.11.0 255.255.255.0

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server

access-list DMZ-IN permit icmp host 10.1.1.254 host 192.168.11.18 echo

access-list DMZ-IN remark Block connections from DMZ to INSIDE networks

access-list DMZ-IN deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS

access-list DMZ-IN remark Allow all other traffic

access-list DMZ-IN permit ip 10.1.1.0 255.255.255.0 any

access-group DMZ-IN in interface DMZ

What the above aims to do is

First remove the "out" direction ACL on the DMZ interface since it permits everything. Traffic towards "DMZ" should be allowed on the "inside" and "outside" interface if needed. You dont need to open it twice.
We create an "object-group" which defines the "inside" networks to which the "DMZ" shouldnt be able to connect to
We start configuring ACL which first allows ICMP from the "DMZ" server to the "inside" server
Then the ACL blocks all rest of the traffic to the "inside" networks
Then the ACL allows all the rest of the traffic from the "DMZ", to for example Internet
Finally the "access-group" command attaches the ACL to the "DMZ" interface in the direction "in"

If you need to allow something else than ICMP then you will have to add it in top of the ACL we just created.

Hope this helps

Remember to mark the reply as the correct answer if it answered your question and rate helpfull answers

Naturally ask more if you need more help

- Jouni

NAT Configuration

Navaz Wattoo — Fri, 31 May 2013 13:03:46 GMT

Thanks a lot

Done it now

u r genious

if i feel any problem then i wil tell u

my email id is nawazwattoo@gmail.com

plz send me ur email id

NAT Configuration

Jouni Forss — Fri, 31 May 2013 13:07:17 GMT

Hi,

You can send me PM (private message) through my profile here on the CSC if you need.

- Jouni

NAT Configuration

Navaz Wattoo — Fri, 31 May 2013 13:17:40 GMT

jhow cani send u private msg?

NAT Configuration

Jouni Forss — Fri, 31 May 2013 13:21:28 GMT

Hi,

You should be able to click my profile name in the post which takes you to my profile page.

There on the right hand side of the page should be an option to send a private message.

Though if you have some question its better to post the question here on the forums.

- Jouni

NAT Configuration

Navaz Wattoo — Sat, 08 Jun 2013 08:08:11 GMT

its not working now

Navaz