topic Static NAT dmz to inside in Network Security

Static NAT dmz to inside

central_bank — Mon, 11 Mar 2019 22:57:58 GMT

Hi,

I have a ASA with Inside (10.1.1.1/24) & DMZ (10.2.2.1/24) Interfaces.

I need to access one of server in DMZ (10.2.2.10) from Inside using NAT.

I have following NAT command entered

static (dmz,inside)10.1.1.10 10.2.2.10

is this syntax correct. If yes, how it is different from following command

static (inside,dmz) 10.2.2.10 10.1.1.10

Static NAT dmz to inside

Dan-Ciprian Cicioiu — Wed, 25 Apr 2012 12:20:48 GMT

Hi Shivaji,

There is wrong in any of the two commands. Depends what are you trying to do :

static (real_interface,nated_interface) translation_ip translated_ip

In the first case :

static (dmz,inside)10.1.1.10 10.2.2.10

The host that will be translated is in DMZ and has the IP 10.2.2.10, It will be transted in the INSIDE as 10.1.1.10

The second case :

static (inside,dmz) 10.2.2.10 10.1.1.10

The host that will be translated is in INSIDE and has the ip 10.1.1.10, it will be translated in the DMZ as 10.2.2.10

Dan

Static NAT dmz to inside

central_bank — Wed, 25 Apr 2012 12:58:56 GMT

Hi Dan ,

Thanks,

Is there any restriction, like real_interface should be of higher security level as that of nated_interface

Static NAT dmz to inside

Dan-Ciprian Cicioiu — Wed, 25 Apr 2012 13:07:15 GMT

Hi ,

My pleasure.

There is no restriction regarding the real_interface.

But depending on your software version there is a requirement. In some versions is called NAT-CONTROL.

NAT-CONTROL - requires that the traffic from a higher security level to a lower security level , should be source nated in order to be permited - also from a lower to higher the traffic should have the destination translated. Historicaly speaking on PIX , this requirement could not be disabled and you had to do identity nat. Nat-control appeared on the software version 7.x , and currently dissapeard so if you are using a 8.4 software version nat-control it is not present.

Dan

Re: Static NAT dmz to inside

imramoha — Wed, 25 Apr 2012 13:07:49 GMT

Hello,

static (dmz,inside)10.1.1.10 10.2.2.10

when packet with destination IP 10.1.1.10 reaches inside interface of ASA it

is redirected to 10.2.2.10 on DMZ.

static (inside,dmz) 10.2.2.10 10.1.1.10

When packet with destination IP 10.2.2.10 hits DMZ it is redirected to

10.1.1.10 on inside

Thanks & Regards

Mohammed Imran

Static NAT dmz to inside

Dan-Ciprian Cicioiu — Wed, 25 Apr 2012 13:11:10 GMT

Hi Mohammed,

My understanding on static NAT is that is bidirectional , so it does not matter where the packet was received.

Are you telling that this is not the case ?

Dan

Static NAT dmz to inside

rgnelson — Fri, 27 Apr 2012 16:07:46 GMT

Dan,

Its kind of the case. Basically one method translates (presents) the source IP and the other the destination IP.

jon.marshall explans it here:

https://supportforums.cisco.com/thread/239441

ryan

Re: Static NAT dmz to inside

Dan-Ciprian Cicioiu — Fri, 27 Apr 2012 16:44:10 GMT

Hi Ryan ,

Thank you for the link.

My post was directed to the fact that the static nat does not change only the DESTINATION.

As you can see in my last post , the static nat is bidirectional. This means that taking for example

static (dmz,inside)10.1.1.10 10.2.2.10

- if the traffic has been initiated from DMZ its changes the SOURCE.

- if the traffic has been initiated from INSIDE its changes the DESTINATION.

So the static NAT translates both source OR destination , depending on where the packet was initiated.

Dan