topic Re: nat issue in Network Security

nat issue

rouzbehta — Mon, 11 Mar 2019 19:45:01 GMT

Hello all,

I have an asa wichi s configured to handle to network, one dmz and other inside network, I can map my inside subnet to public ip with nat but I can't do this with DMZ subnet , I thought I configured correctly, I also attached my configuration file

Wouls someone please tell me if there is something wrong in configuration?

Also when I do packet tracing with ASDM it gives me "ASDM is not able to select the entry for the followoing configuration"

Best Regards,

-Rouzbeh

Re: nat issue

andamani — Fri, 04 Feb 2011 16:14:18 GMT

Hi,

Please do the following:

no nat (DMZ) 2 10.10.15.0 255.255.255.0

nat (DMZ) 1 10.10.15.0 255.255.255.0

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as resolved if you think your query is answered

Re: nat issue

rouzbehta — Fri, 04 Feb 2011 16:21:27 GMT

Dear Anisha,

I did this , packet tracer still drops the packet "from 10.10.15.0 255.255.255.0 subnet" with the following message:

ASDM is not able to select the entry for the following configuration

nat (inside21) 0.0.0.0 0.0.0.0 I haven't set this rule!! I don't where this came from in this message

nat-control

match ip inside21 any outside any

no translation group, implicit deny

policy_hits=2

Best Regards,

-Rouzbeh

Re: nat issue

andamani — Fri, 04 Feb 2011 16:49:34 GMT

Hi,

I re-checked your configuration.

please remove the following statement:

global (DMZ) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

Also i see that there exists a default route for the DMZ and it is heading to a routable ip. could you please explain why are you doing this?

route DMZ 0.0.0.0 0.0.0.0 66.128.95.145 1

I would say please change the route.

route DMZ 10.10.15.0 255.255.255.0 1

Let me know if it makes any difference

Regards,

Anisha

Re: nat issue

rouzbehta — Fri, 04 Feb 2011 17:08:20 GMT

Dear Anisha,

I am doing nat translation for inside network using PAT on interface gig0/0

I want to use nat pool for DMZ part and that's why I used the global (DMZ) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248 should I still remove this?

66.128.95.145 is the next hop router, that's why I used the route DMZ 0.0.0.0 0.0.0.0 66.128.95.145 1

I removed the route and added the route you requested route DMZ 10.10.15.0 255.255.255.0 66.128.95.145 but got the mesageg "can not add route, connected route exits"

Best Regards,

-Rouzbeh

Re: nat issue

andamani — Fri, 04 Feb 2011 17:33:06 GMT

Hi Rouzbeh,

Alright i got the natting part.

please do the following:

no global (DMZ) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

global (outside1) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

nat (DMZ) 2 10.10.15.0 255.255.255.0

i am not sure of the routing part. by the statement "route DMZ 0.0.0.0 0.0.0.0 66.128.95.145 1" you mean to say that any traffic on the DMZ interface should head to ip 66.128.95.145. The DMZ network is 10.10.15.0/24. the ip 66.128.95.145 is not in the same subnet as 10.10.15.0/24.

I am unable to understand the routing in here. According to me you should remove the statement "route DMZ 0.0.0.0 0.0.0.0 66.128.95.145 1".

If the DMZ network is directly connected then i don't think there is an explicit need to add a route.

I hope you get what i am trying to explain.

Regards,

Anisha

Re: nat issue

rouzbehta — Fri, 04 Feb 2011 18:16:46 GMT

Dear Anisha,

I did the followings:

no global (DMZ) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

global (outside1) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

net (DMZ) 2 10.10.15.0 255.255.255.0

I also removed the route 0.0.0.0 0.0.0.0 66.128.95.145 1 you correct the next hop is directly connected and no need to static route

The traffic leaving dmz subnet with 10.10.15.0/24 should be translated to a address from 66.128.95.147-66.128.95.150 right?

BTW after you suggested chages took efect agaib I get packe drop from packet tracer with the following message:

nat (DMZ) 2 10.10.15.0 255.255.255.0

match ip DMZ 10.10.15.0 255.255.255.0 outside2 any

dynamic translation to pool 2 (NO matching global)

Best Regards,

-Rouzbeh

Re: nat issue

andamani — Sat, 05 Feb 2011 01:43:13 GMT

Hi,

Please do the following:

no global (outside1) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

global (outside2) 2 66.128.95.147-66.128.95.150 netmask 255.255.255.248

Let me know the results.

Regards,

Anisha

P.S.: Please mark this thread as resolved if you feel your query is answered.