01-20-2013 07:26 AM - edited 03-11-2019 05:49 PM
Is it possible to perform static Nat's through an internal network?
Here's my situation I have a ASA 5510 with a public outside interface (let’s call it 68.68.68.1), and I have an inside private IP address (192.168.1.2/24). The inside IP address leads to a 4900m with that interface being configured with a 192.168.1.1 (no switching). On the 4900 M I have several VLANs one of them is an internal DMZ of sorts. (192.168.2.0/24). Within this DMZ network are several Web servers which need to be associated a public IP address (68.68.68.x).
Every time I configure a static Nat to associating a public IP address with an internal IP address within the DMZ, packet Tracer on the ASA informs me that the packet gets dropped at the static Nat and I cannot figure out why this is so.
Safe it to say my question still stands is it possible to Nat (68.68.68.222 to and 92.168.2.60) given the configuration above, and how would I go about configuring in such the manner above so that I acn apply static nat through the 192.168.1.0 network to reach the 192.168.2.0 network.
Any help on this matter is greatly appreciated. Thank you.
01-20-2013 07:45 AM
That can be easioy done, All you need is:
1) your static translation
2) an ACE allowing the incoming traffic
3) a route from the firewall to the switch for the 192.168.2.0 network.
For more help on configuring that, please share the version of your ASA or even better your actual config.
Sent from Cisco Technical Support iPad App
01-20-2013 07:47 AM
Hi Michael,
it should work.
Paste results of:
sh int ip brief
sh nameif
sh run nat
sh run static
sh run global
and also packet tracer result.
---
Michal
01-20-2013 08:00 AM
HI Michael,
Yes it is possible.
Lets say you have an ACL configured on your outside interface on your ASA, with a name: outside-allow-in
access-list outside-allow-in extended permit ip any host 68.68.68.222
Now this ACL is applied on the outside interface on your ASA as shown below.
access-group outside-allow-in in interface outside
Now create a static-nat as shown below.
static (dmz,outside) 68.68.68.222 192.168.2.60 netmask 255.255.255.255
at last please make sure to add a static-route to push traffic "192.168.2.0 netmask 255.255.255.0" to peering address i.e. 192.168.1.1 as shown below.
made correction.
route inside 192.168.2.0 255.255.255.0 192.168.1.1
Hope that helps.
Thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed
01-20-2013 08:22 AM
Wouldn't the static nat read static(inside,outside) 68.68.68.222 192.168.2.60 netmask 255.255.255.255 ?
01-20-2013 08:33 AM
In your case the static is (inside, outside). But for a "real" DMZ you should consider to terminate the VLan on a subinterface on the ASA to have more control over the network that is directly reached through the internet.
Sent from Cisco Technical Support iPad App
01-20-2013 09:01 AM
"Wouldn't the static nat read static(inside,outside) 68.68.68.222 192.168.2.60 netmask 255.255.255.255 ?"
Yes, that is correct "static(inside,outside)" if you want to traverse traffic to inside.
thanks
Rizwan Rafeek
01-20-2013 09:16 AM
The following was applied
static (inside,outside) 68.68.68.222 192.168.2.60 netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside DMZ-network(which is 192.168.2.0 255.255.255.0 192.168.1.1
when I try to access the server 192.168..2.60 from the outside I do not get a response. I ran packet Tracer on the firewall when I apply interface outside with source IP address 68.68.68.2222 destination IP address 192.168.2.60
|
Config
static (inside,outside) 68.68.68.222 192.168.2.60 netmask 255.255.255.255
match ip inside host 192.168.2.60 outside any
static translation to 68.68.68.222
translate_hits = 91, untranslated_hits = 12
01-20-2013 09:33 AM
more information as requested
csc# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.2 YES CONFIG up up
Ethernet0/1 172.16.2.3 YES CONFIG up up
Ethernet0/2 192.168.12.1 YES CONFIG up up
Ethernet0/3 68.68.68.1 YES CONFIG up up
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Management0/0 192.168.19.1 YES manual administratively down down
csc-ssm# sh nameif
Interface Name Security
Ethernet0/0 inside 100
Ethernet0/1 %^&*%$ 100
Ethernet0/2 @#$%&*() 30
Ethernet0/3 outside 0
Management0/0 management 100
nat (inside) 0 access-list nat0
nat (inside) 1 serverNET 255.255.255.0
nat (inside) 1 Server 255.255.255.0
nat (inside) 1 192.168.8.0 255.255.255.0
nat (inside) 1 CorpVPN 255.255.255.0
nat (inside) 1 192.168.30.0 255.255.255.0
nat (Eng) 0 access-list ENG_nat0_outbound
nat (Eng) 1 172.16.2.0 255.255.255.0
nat (WiFi-Guest) 1 192.168.12.0 255.255.255.0
global (ENG) 2 172.16.2.10-172.16.2.50 netmask 255.255.255.0
global (outside) 1 interface
01-20-2013 09:47 AM
Can you post the output form ACL "outside_access_in"
thanks
01-20-2013 09:55 AM
This is the hold ouside_access_in currently actived.
1 True any 68.68.68.1 (interface) icmpicmp/echo
icmp/echo-reply Permit Default
2 True any 68.68.68.1 icmp/time-exceeded Permit Default
3 True any 68.68.68.1 ip Permit Default
4 True any 68.68.68.1 icmp/unreachable Permit Default
6 True any any ip Permit Default
9 True any 68.68.68.222 ip Permit Default
01-20-2013 10:31 AM
make sure that you
a) don't have the needed communication in your nat0-ACL
b) have "inspect icmp" in your service policy if you only test with icmp/echo.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide