topic NAT solution in Network Security

NAT solution

s-santhosh — Mon, 11 Mar 2019 21:16:54 GMT

Hi,

We have a server in DMZ network with IP 10.1.1.20

Client VLANs(Local LAN users) are provided access to the 10.1.1.20

This server is also need to access via internet so created a NAT entry - Natted to public IP 192.168.1.20 (Just for understanding)

Now client VLAN users are able to access the server on port 80 using IP 10.1.1.20,but unabe to access to 192.168.1.20.

Is there any solution to have a access to public IP 192.168.1.20 on port 80 from Client VLAN

/San

NAT solution

varrao — Thu, 25 Aug 2011 10:52:23 GMT

Hi Santosh,

Yes there is a way to make it working, now you would need to do u-turning on the firewall. But for that can you provide me the configuration that you have for the outside access?? This would be required, and then we can plan how to configure iot.

Thanks,

Varun

NAT solution

varrao — Thu, 25 Aug 2011 11:06:32 GMT

You would need the follwoing configuration for your inside users:

static (DMZ,inside) 192.168.1.20 10.1.1.20

nat (inside) 5 0.0.0.0 0.0.0.0

global (DMZ) 5 interface

and this should work for you.

P.S. - This is if you assume, local LAN users are on the inside interface.

Can you also tell me the nat statement that you have for the inside users to access the server on private ip??

Thanks,

Varun

NAT solution

s-santhosh — Thu, 25 Aug 2011 11:51:56 GMT

Hi Varun,

Thanks for the solution... very soon i will share you the ACL's .

/San

NAT solution

varrao — Thu, 25 Aug 2011 11:55:55 GMT

No Problem Santosh, I would wait for your reply.

-Varun

NAT solution

s-santhosh — Thu, 25 Aug 2011 12:48:47 GMT

Hi Varun,

Please find the below ACLs and NAT

access-list acl-in extended permit tcp 10.1.3.0 255.255.255.192 host 10.1.1.20 eq www
access-list acl-in extended permit tcp 10.1.4.0 255.255.254.0 host 10.1.1.2o eq www
access-list acl-in extended permit tcp 10.1.1.0 255.255.254.0 host 10.1.1.20 eq www

ACL is applied on inside interface

static (General_Services,Internet) tcp 192.168.1.20 www 10.1.1.20 www netmask 255.255.255.255

General-Services is DMZ interface

I have general question - Is the solution is a standard and works as a normal... I feel that this is very strange requirement.

Any more requirements I can share you...

/San

NAT solution

varrao — Thu, 25 Aug 2011 13:08:17 GMT

Hi Santosh,

So what your client needs it, they shoudl be able to access the server in DMZ, with both public and private ip right???

If so , why do they need it to be??

-Varun

NAT solution

s-santhosh — Thu, 25 Aug 2011 13:47:22 GMT

Hi Varun,

Yes your are correct they need access to public and private IP address from LAN.

This is due to some project requirements itseems.

Its not client.. its a local requirement....:)

-San

NAT solution

varrao — Thu, 25 Aug 2011 14:14:05 GMT

Hi Santosh,

There is a possible workaround for it because with normal natting we cannot do this otherwise it would say conflicting nat statements, the workaround is as follows:

access-list abc permit ip host 10.1.1.20 any

access-list xyz permit ip host 10.1.1.20 any

static (DMZ,inside) 192.168.1.20 access-list abc

static (DMZ,inside) 10.1.1.20 access-list xyz

Let me know if this works for you, can you also tell me the ASA version that you are using??? Because it has a software limitation when it was tested.

Thanks,

Varun

NAT solution

s-santhosh — Thu, 25 Aug 2011 14:18:56 GMT

Hi Varun, At present using this

Cisco Adaptive Security Appliance Software Version 8.2(2)

-Santhosh

NAT solution

varrao — Thu, 25 Aug 2011 14:22:47 GMT

It should definitely work then

Thanks,

Varun

NAT solution

s-santhosh — Thu, 25 Aug 2011 14:32:31 GMT

Hi Varun,

Both ABC and XYZ are having the same host, so is it not possible to use a single ACL, like below

access-list abc permit ip host 10.1.1.20 any

static (DMZ,inside) 192.168.1.20 access-list abc

static (DMZ,inside) 10.1.1.20 access-list abc

-Santhosh

NAT solution

varrao — Thu, 25 Aug 2011 14:33:50 GMT

No No, thats the catch, you would need to use different acl's

-Varun

NAT solution

s-santhosh — Thu, 25 Aug 2011 15:00:43 GMT

Hi Varun,

I added the ACL's and Statics as you given but no luck:(

But when i run packet tracer shows its allowed

Santhosh

NAT solution

varrao — Thu, 25 Aug 2011 15:15:15 GMT

Can you just clear the xlate for the server.

clear local-host 10.1.1.20

and try again.If it does not work, can you take the output of "show xlate | in 10.1.1.20"

Thanks,

Varun

NAT solution

s-santhosh — Thu, 25 Aug 2011 17:00:18 GMT

Hi Varun,

At any time I'm only able to apply any one static NAT, below is the error messge while config 2nd static

ERROR: mapped-address conflict with existing static

General_Services:10.1.1.20 to inside:192.168.1.20 netmask 255.255.255.255

So with this single static, below is the xlate output, after clearing the local xlate

Global 192.168.1.20 Local 10.1.1.20

Even when i configure this....I see from Local LAN unable to access 10.1.1.20

-San

NAT solution

varrao — Thu, 25 Aug 2011 17:27:26 GMT

Hi Santosh,

i had tried the config first before suggesting it to you, and it worked:

You would need to first remove the configuration for that you have for the inside users, mainly this static:

static (General_Services,Internet) tcp 192.168.1.20 www 10.1.1.20 www netmask 255.255.255.255

and then apply the one that was provided earlier.

Thanks,

Varun

NAT solution

s-santhosh — Fri, 26 Aug 2011 11:44:42 GMT

Hi Varun,

Thanks alot for your support. It worked,

Regards,

Santhosh

NAT solution

varrao — Fri, 26 Aug 2011 13:23:49 GMT

Hi Santosh,

Rally happy it worked for you , I also enjoyed wporking on it and finding the solution for you.

Thanks,

Varun