topic Re: NAT question in Network Security

NAT question

bma — Mon, 11 Mar 2019 10:52:23 GMT

What is for static (inside dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.255 0 0? Is it no nat for the 192.168.100.0 network? If I remove this line, what is happen?

Could I use following lines together

static (inside dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.255 0 0

static (inside dmz) 192.168.4.70 192.168.100.50 network 255.255.255.255 0 0

Thanks

ben

Re: NAT question

mattiaseriksson — Thu, 02 Aug 2007 08:38:37 GMT

Ben,

No you have the wrong netmask. But if you change the netmask to 255.255.255.0 it would mean that you can access the 192.168.100.0/24 network from the dmz using the real addresses (if the dmz acl permits).

And yes you can use a static for the network together with a static for one ip, if you use different netmasks.

Re: NAT question

bma — Thu, 02 Aug 2007 14:33:57 GMT

Thanks

What is difference use real address and NAT address in the inside and dmz network? Does infect application access?

ben

Re: NAT question

mattiaseriksson — Thu, 02 Aug 2007 14:43:45 GMT

There is no difference. Normally you do not have to translate addresses between the inside and dmz networks, but you can do it either way.

If you need to initiate connections from the DMZ to the inside you must use the static command for some addresses or the entire network (but you do not have to translate the addresses).

But if you only need the inside to access the dmz, you can instead use nat/global command. That will only allow outbound connections from the inside.

Re: NAT question

bma — Thu, 02 Aug 2007 15:14:59 GMT

Thanks

If use virtual server ip address(netscaler) in the dmz, real server ip address is with internal, do I need do static from dmz to internal?

Ben

Re: NAT question

mattiaseriksson — Thu, 02 Aug 2007 15:20:57 GMT

Yes, you need static statements to permit access from any interface when you are going to the inside.

You also need an access-list to permit the traffic on the dmz interface.

Re: NAT question

bma — Thu, 02 Aug 2007 16:04:42 GMT

Thanks

I just try add one static line

static (inside,dmz) 192.168.4.150 192.168.0.250 netmask 255.255.255.255 0 0,

but it is fail, message is real-address conflict with existing static

inside: 192.168.0.0 to dmz: 192.168.0.0 netmask 255.255.255.0

Looks have to remove static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0 from pix.

What is risk to remove this line? Maybe some ip deny access?

Ben

Re: NAT question

mattiaseriksson — Thu, 02 Aug 2007 17:23:00 GMT

Sorry, you need to use policy nat.

access-list HOST1 permit ip host 192.168.0.250 192.168.4.0 255.255.255.0

static (inside,dmz) 192.168.4.150 access-list HOST1

I am not sure if you have to remove the other static, try it without first.

If it does not work you have to remove it, but then people will loose connectivity, and add it again with policy-nat:

access-list NET1 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0

static (inside,dmz) 192.168.0.0 access-list NET1

Re: NAT question

srue — Thu, 02 Aug 2007 17:40:57 GMT

If nat-control is enabled (assuming PIX/ASA OS 7.x and later), or if you're using PIX OS 6.x or earlier, you need to enable nat between any higher security level interface and any lower security level interface.

You can use any type of nat except identity nat if hosts on the lower security interface need to initiate connections back to the higher level security interface.

This means you can use any type of nat except the following:

nat (inside) 0 192.168.1.0 255.255.255.0

nat (inside) 0 192.168.1.1 255.255.255.255

...just for example.

nat exemption allows connections to be initiated both ways and looks like the following:

nat (inside) 0 access-list 101

Any nat involving the static command also allows connections to be initiated from either side.

Re: NAT question

bma — Thu, 02 Aug 2007 20:44:50 GMT

Thanks

ben