https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996484#M435299 <HTML><HEAD></HEAD><BODY><P> Hello Rizwan,</P><P></P><P>I do have a nat for inside host to DMZ4. What I dont understand is why 10.103.11.51 is getting natted to 10.103.11.17? Should'nt that pool be the NAT for traffic coming to DMZ4?</P><P></P><P>static(inside,dmz4) 10.103.1.88 10.103.1.88 netmask 255.255.255.255</P><P></P><P></P><P>Thank you.</P><P></P><P></P></BODY></HTML> Thu, 31 May 2012 15:48:02 GMT network_user 2012-05-31T15:48:02Z https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996482#M435297 <P>Hello,</P><P></P><P>We have a Session border controller for VOIP calls in our network which sites behind ASA firewall on a DMZ. We also have a global pool for this DMZ. What i have observed is that the SBC IP address which is on the DMZ, gets natted to one of the IPs in the global pool for its own DMZ.</P><P></P><P>Below is the relevant IP information and NAT configuration:</P><P></P><P>DMZ4</P><P>SBC IP: 10.103.11.51</P><P></P><P>NAT on ASA:</P><P>global (dmz4) 1 10.103.11.16-10.103.11.19 netmask 255.255.255.252</P><P></P><P></P><P>10.103.11.51 gets natted to 10.103.11.17 and for some reason the SBC sends the SIP packets to 10.103.11.17, instead of sending it to a destination IP address which resides on the inside interface of the ASA. I am not able to understand why SBC gets Natted to global nat pool of its own DMZ, and how does it knows about 10.103.11.17 IP??</P><P></P><P></P><P>Any help is appreciated.</P><P></P><P>Thank you.</P> Mon, 11 Mar 2019 23:13:57 GMT https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996482#M435297 network_user 2019-03-11T23:13:57Z https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996483#M435298 <HTML><HEAD></HEAD><BODY><P>"instead of sending it to a destination IP address which resides on the inside interface of the ASA."</P><P></P><P>In order to send traffic in between inside and dmz4, you must create static-nat as shown below.</P><P></P><P>static (inside,dmz4) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 </P><P></P><P></P><P>-----------------------------------------------------------------------------------</P><P></P><P>"global (dmz4) 1 10.103.11.16-10.103.11.19 netmask 255.255.255.252"</P><P></P><P>the above is dynamic-nat.</P><P></P><P></P><P>Hope this has been anyhelp.</P><P></P><P>thanks</P><P>Rizwan Rafeek</P></BODY></HTML> Thu, 31 May 2012 14:21:45 GMT https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996483#M435298 rizwanr74 2012-05-31T14:21:45Z https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996484#M435299 <HTML><HEAD></HEAD><BODY><P> Hello Rizwan,</P><P></P><P>I do have a nat for inside host to DMZ4. What I dont understand is why 10.103.11.51 is getting natted to 10.103.11.17? Should'nt that pool be the NAT for traffic coming to DMZ4?</P><P></P><P>static(inside,dmz4) 10.103.1.88 10.103.1.88 netmask 255.255.255.255</P><P></P><P></P><P>Thank you.</P><P></P><P></P></BODY></HTML> Thu, 31 May 2012 15:48:02 GMT https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996484#M435299 network_user 2012-05-31T15:48:02Z https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996485#M435300 <HTML><HEAD></HEAD><BODY><P>"Should'nt that pool be&nbsp; the NAT for traffic coming to DMZ4?"</P><P></P><P>It is natting based on the ip range you have defined on the global-pool "10.103.11.16 - 10.103.11.19" </P><P></P><P>"why&nbsp; 10.103.11.51 is getting natted to 10.103.11.17?" that is because your global poot on the dmz4 interface as shown below.</P><P></P><P>global (dmz4) 1 10.103.11.16-10.103.11.19</P><P></P><P></P><P>"Should'nt that pool be the NAT for traffic coming to DMZ4?", </P><P></P><P>it is natting to one of the IP available from the range you provided when traffic coming in to dmz4.</P><P></P><P>So, it is natting, what you have set to nat.</P><P></P><P>Thanks</P><P>Rizwan Rafeek</P></BODY></HTML> Thu, 31 May 2012 16:43:07 GMT https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996485#M435300 rizwanr74 2012-05-31T16:43:07Z https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996486#M435301 <HTML><HEAD></HEAD><BODY><P> I still dont understand. </P><P></P><P>What I understand is that any traffic which is going into DMZ4 must be natted to one of the DMZ4 Global pool IPs to communicate with the hosts on DMZ4. But it seems like its happening the other way round. An IP address which is already on DMZ4 and trying to communicate with inside(or any other interface) is getting natted to an IP from this pool.</P></BODY></HTML> Thu, 31 May 2012 17:08:04 GMT https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996486#M435301 network_user 2012-05-31T17:08:04Z https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996487#M435302 <HTML><HEAD></HEAD><BODY><P>"going into DMZ4" It is not going into but rather natted to, as a result you will see the below, your confusion.</P><P></P><P>"why 10.103.11.51 is getting natted to 10.103.11.17? "</P><P></P><P>going into and natted to, are two different things.</P><P></P><P>I hope that helps.</P><P></P><P>thanks</P><P>Rizwan Rafeek</P><P></P><P>Please rate helful post.</P></BODY></HTML> Thu, 31 May 2012 18:07:59 GMT https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996487#M435302 rizwanr74 2012-05-31T18:07:59Z https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996488#M435303 <HTML><HEAD></HEAD><BODY><P> So do you mean the NAT is for DMZ4 IPs communicating with any other IP outside DMZ4 and also for any IP which is trying to communicate with DMZ4 hosts??</P></BODY></HTML> Thu, 31 May 2012 19:05:48 GMT https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996488#M435303 network_user 2012-05-31T19:05:48Z https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996489#M435304 <HTML><HEAD></HEAD><BODY><P>"So do you mean the NAT is for DMZ4 IPs communicating with any other IP outside DMZ4" </P><P>no but rather inside or outside host trying to reach the DMZ4 hosts, will be dynamic-nat to 10.103.11.16-10.103.11.19.</P><P></P><P>"also for any IP which is trying to communicate with DMZ4 hosts??" </P><P>will be dynamic-natted to the range 10.103.11.16-10.103.11.19..</P><P></P><P></P><P>You have not posted your nat but only the global config part alone I see.</P><P></P><P></P><P>Hope that answers your question.</P><P></P><P>Thanks</P><P>Rizwan Rafeek</P></BODY></HTML> Thu, 31 May 2012 19:47:49 GMT https://community.cisco.com/t5/network-security/asa-dmz-ip-getting-natted-to-its-own-global-pool-ip/m-p/1996489#M435304 rizwanr74 2012-05-31T19:47:49Z