Basic questions about ASA static NAT configuration
I have questions about basic static NAT configuration.
I have a host inside a DMZ and I want an outside host to be able to reach it.
I understand this is a typical scenario in which static NAT would be used, such as if you had a server in a DMZ that outside hosts need to access.
I'm using the following configuration:
object network WEB-OUTSIDE host 192.168.122.122
object network WEB-INSIDE
nat (dmz,outside) static WEB-OUTSIDE
The 22.214.171.124 host in the host in the DMZ. I've set it to NAT to 192.168.122.122, which I'm using to represent a global IP address for lab purposes.
The outside host is 192.168.122.196 /24, and is directly connected, through a layer 2 switch, to the ASA outside interface.
The ASA outside interface is 192.168.122.121 /24.
My basic questions are:
1. Is it correct, as I have done, to assign the global IP address of 192.168.122.122, which is not assigned to any host or interface, as the mapped address in the NAT configuration? Or am I supposed to use the outside interface address on the ASA, which is 192.168.122.121? I'm assuming since it is a server it should get it's on global IP address, and that this global IP address should not need to be assigned to any interface at all.
2. When I ping from the host on the outside Network to the host in the DMZ, am I supposed to ping the global IP address, 192.168.122.122, or the real IP address, 126.96.36.199? I'm using the latest ASAv image. It makes sense to me to use the global IP address, but want to confirm my understanding.
3. Is this NAT configuration sufficient, or does there need to be another NAT statement to let traffic go the other way?
Re: Basic questions about ASA static NAT configuration
Your NAT setup is correct. You don't need a separate statement for the reverse direction.
In addition to NAT you need an access control list (ACL) entry to permit the traffic initiated from the outside to reach the inside.
Also, using ping to test isn't generally recommended since ASAs don't, by default, inspect icmp messages. Instead use an actual connectivity check like opening a web page on your server. That will use tcp/80 (or 443 for https) and be more representative of what you actually want (and you should allow only the required protocol and port(s) in your ACL).
SymptomsOutage during FTD code upgrade DiagnosisThe FTD code upgrade thru FMC will cause the traffic interruptionSolutionBelow process will upgrade the FTD with no downtime and no traffic interruption.Before the upgrade process:Download the FTD platf...
Process for FTD migration with PolicyAs per Cisco documentation, we have below steps for for de-register and register process. Please follow below steps :Step 1 : Break HA pair and de-register your FTD from FMC (old).Step 2 : Register your primary FTD wit...
Hi There,Is there a relationship between the hardware of the Cisco ASA 5505 FWs (V02) and the 9.x software version? Multiple ASA have been successfully updated with the same software. The ASAs that have been updated without any problems are V06 versi...
Dear Cisco Customers and Partners,
We know that the Cisco Identity Services Engine (ISE) is a critical element of your network security and so stability is of paramount importance. As a result, many of you asked us for a suggested release given sev...
Over 100-year-old Yokogawa Engineering Asia deploys Cisco Advanced Malware Protection (AMP) to shield itself against cyber attacks. With Cisco Talos threat intelligence, it stays ahead of the latest malicious behavior on the Internet. Learn more at http:/...