cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1811
Views
0
Helpful
2
Replies
Highlighted

ASA 8.4 - host in DMZ access Internet

I have a very simple setup

I/F inside(100)  DMZ(50)  outside(0)

Inside hosts have NAT access to outside

DMZ host's have static nat and are  accessible from  outside  - www, dns queries etc

However:

Hosts in DMZ cannot access the internet.

packet-tracer  indicates that traffic routes via the inside i/f and is dropped !  the def route is Outside- see attached file.

I have attached the sho run NAT  and sho run route outputs. ( I can't seem to past text on here)

Any help appreciated

Thanks

Everyone's tags (8)
1 ACCEPTED SOLUTION

Accepted Solutions
Mentor

Re: ASA 8.4 - host in DMZ access Internet

Hi,

This is probably due to NAT configurations as they can define the ingress/eggress interface in the new software

So from what I gather you have the following NAT configurations

  • Default PAT configuration for LAN and DMZ Internet traffic
  • A static NAT for a server
  • Some NAT configuration that you are using for DMZ <-> LAN traffic?
    • This is most likely the cause

I would do the configurations like this

Basic PAT

object-group network PAT-SOURCE-NETWORKS

description PAT source networks

network-object x.x.x.x y.y.y.y

network object a.a.a.a b.b.b.b

nat (any,Outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface

Where

  • x.x.x.x is the LAN network address
  • y.y.y.y is the LAN network mask
  • a.a.a.a is the DMZ network address
  • b.b.b.b is the DMS network mask

The above PAT configuration basicly does the following

  • The configured object-group defines the networks that will be using the "Outside" interface public IP address for PAT when connecting to the Internet
  • The source interface "any" means that source interface on the ASA can be any interface BUT as we configured the object-group to control the source addresses you have control over what gets PATed. And you dont need several NAT statements for many intefaces.
  • "after-auto" keeps the NAT rule at the bottom of the NAT rules

Static NAT

object network STATIC

host x.x.x.x

nat (Inside,Outside) static y.y.y.y dns

Where

  • STATIC is the object name
  • x.x.x.x is the local IP address
  • y.y.y.y is the public IP address

On a final note I would personally not do any NAT between your local ASA interfaces.

In the new 8.4 softwares you dont need NAT for traffic between your local interface. Any traffic that doesnt have NAT statements will go through the ASA unNATed. So your LAN network can connect to your DMZ with the DMZ actual IP address and so on.

The packet-tracer says that the following NAT rule is applied to the traffic you are testing

nat (Inside,DMZ) source static any any

To me it seems that this configuration is not needed.

- Jouni

2 REPLIES 2
Mentor

Re: ASA 8.4 - host in DMZ access Internet

Hi,

This is probably due to NAT configurations as they can define the ingress/eggress interface in the new software

So from what I gather you have the following NAT configurations

  • Default PAT configuration for LAN and DMZ Internet traffic
  • A static NAT for a server
  • Some NAT configuration that you are using for DMZ <-> LAN traffic?
    • This is most likely the cause

I would do the configurations like this

Basic PAT

object-group network PAT-SOURCE-NETWORKS

description PAT source networks

network-object x.x.x.x y.y.y.y

network object a.a.a.a b.b.b.b

nat (any,Outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface

Where

  • x.x.x.x is the LAN network address
  • y.y.y.y is the LAN network mask
  • a.a.a.a is the DMZ network address
  • b.b.b.b is the DMS network mask

The above PAT configuration basicly does the following

  • The configured object-group defines the networks that will be using the "Outside" interface public IP address for PAT when connecting to the Internet
  • The source interface "any" means that source interface on the ASA can be any interface BUT as we configured the object-group to control the source addresses you have control over what gets PATed. And you dont need several NAT statements for many intefaces.
  • "after-auto" keeps the NAT rule at the bottom of the NAT rules

Static NAT

object network STATIC

host x.x.x.x

nat (Inside,Outside) static y.y.y.y dns

Where

  • STATIC is the object name
  • x.x.x.x is the local IP address
  • y.y.y.y is the public IP address

On a final note I would personally not do any NAT between your local ASA interfaces.

In the new 8.4 softwares you dont need NAT for traffic between your local interface. Any traffic that doesnt have NAT statements will go through the ASA unNATed. So your LAN network can connect to your DMZ with the DMZ actual IP address and so on.

The packet-tracer says that the following NAT rule is applied to the traffic you are testing

nat (Inside,DMZ) source static any any

To me it seems that this configuration is not needed.

- Jouni

ASA 8.4 - host in DMZ access Internet

Jouni

Thanks -  that worked a treat !

Bob