topic Re: ASA NAT question in Network Security

ASA NAT question

dlance — Mon, 11 Mar 2019 19:55:45 GMT

We have a somewhat standard 3 interface dmz setup

inside---dmz---outside

we nat from inside to dmz for normal access of servers on dmz (with access rules)

we have one web server on dmz we dont want to nat to reach from inside

we would like to have 1 fixed ip address on inside network that always reaches this server as one fixed ip on the dmz

we do have some static rules for other servers to access on the inside from the dmz but I cant get a static to work for this server

Re: ASA NAT question

mirober2 — Wed, 23 Feb 2011 20:17:21 GMT

Hello,

Here is the config guide for NAT exemption:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html

If you can share a copy of your sanitized running-config (specifically 'show run nat', 'show run global', 'show run static', and 'show run nat-control'), and the IP of the server you're having trouble with, we can give you a more specific solution.

-Mike

Re: ASA NAT question

dlance — Wed, 23 Feb 2011 20:28:36 GMT

Thanks but I dont want nat exemption

I want a fixed translation from 1 inside address to 1 dmz address

Dave

Re: ASA NAT question

Edward Dutra — Thu, 24 Feb 2011 00:10:33 GMT

Hi Dave...

Can give more details of how you want the traffic flow to work. As i read your first response, it does sound like you want NAT exemption.

Do you want the inside IP Natted when going to the DMZ? What IP did you want natted and where does the source of the connection begin?

Re: ASA NAT question

dlance — Thu, 24 Feb 2011 13:16:57 GMT

Traffic would be sourced on the inside network

And would flow to the dmz.

If inside network is 192.168.0.x

and dmz is 172.16.1.x

Traffic would source at 192.168.0.3 and flow to 172.16.1.3

Re: ASA NAT question

Edward Dutra — Thu, 24 Feb 2011 18:49:35 GMT

So is there any reason the basic Static configuration wont help you here?

Static config:

static (inside,dmz) 172.16.1.3 192.168.0.3 netmask 255.255.255.255

-------------------

The above would NAT traffic from 192.168.0.3 to 172.16.1.3 when going out the DMZ interface.

Or is the traffic going to a server that has the IP 172.16.1.3? Are you natting one host or the entire inside network to the DMZ? What IP or pool of IPs did you want the inside host or host to have when going to the DMZ?