Nating Issue on ASA

hajasheriff — Mon, 11 Mar 2019 15:55:12 GMT

Hi Guys,

I have pix firewall 525 with software V 6.3. In that pix firewall, i can able to access the one of the dmz server using both nated ip( let say 10.80.80.2) and the original DMZ IP (let say 172.80.1.2). Recently i tried to upgrade to ASA with version 8.0. after the upgrade i can access only via nated ip (10.80.80.2)once the nating enabled not able to access the dmz ip(172.80.1.2). I didn't upgrade due to this issue as some of my testers use the original dmz ip. I setup the test lab to try it out. the following shows the config. The problem is i cannot access original DMZ IP in asa V 7.2 onwards once Nating is enabled but with the same config i can access both the IP's in PIX V 6.3 while the nating is enabled. Is there any new features blocking it. what's the reason for not able to access the original dmz ip while static NAT is enabled for the DMZ Server from the inside interface.Pls advise.Thanks.

Test Lab Config :

ASA Version 8.0(2)

hostname ciscoasa

enable password 9jNfZuG3TC5tCVH0 encrypted

names

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.1.1 255.255.255.0

interface Ethernet0/1

nameif dmz

security-level 10

ip address 172.80.1.1 255.255.255.0

interface Ethernet0/2

nameif inside

security-level 100

ip address 10.10.10.2 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list inside extended permit ip any any

access-list outside extended permit ip any any

access-list dmz extended permit ip any any

pager lines 24

mtu outside 1500

mtu dmz 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

static (dmz,outside) 192.168.1.22 172.80.1.2 netmask 255.255.255.255

static (dmz,inside) 10.80.80.2 172.80.1.2 netmask 255.255.255.255

access-group outside in interface outside

access-group dmz in interface dmz

access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

route inside 10.0.0.0 255.0.0.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:abc973974aff9ec64fcc2513e330487c

: end

ciscoasa(config)#

Re: Nating Issue on ASA

Collin Clark — Wed, 15 Jul 2009 12:11:36 GMT

It sounds like you may have had DNS doctoring in the PIX. In the ASA you can setup bidirectional NAT explained in the following link.

http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html

Hope that helps.

topic Nating Issue on ASA in Network Security

Nating Issue on ASA

Re: Nating Issue on ASA