05-09-2012 08:27 AM - edited 03-11-2019 04:04 PM
I appreciate any help in advance, I have a requirement to monitor a host's external IP address, the monitoring host (host A) initiating the request is located in the same DMZ subnet as the destination host (host B) I want to monitor, both are NAT'd to external IP addresses, I was expecting to see a request going out from host A, getting NAT'd to its respective external IP address and then coming back in through the external interface to reach the Nat'd IP address of host B. is this how NAT will be handled by the ASA or am I missing something here? thanks again.
05-09-2012 09:54 PM
Borman,
Its more complicated than that, consider the following scenario:
20.20.20.0/24
ASA------------------------------Internet
| (DMZ)
Switch
Host A Host B
10.1.1.10 10.1.1.100
20.20.20.20 (Nat outside address)
Basically you want to monitor your host B using its public IP address, normally your NAT configuration (in case of version 8.2 and prior) would be something like this:
nat (DMZ,outside) 20.20.20.20 10.1.1.100
nat (DMZ) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
When going from Host A to host B, two translations should occur, first is the Unstranslate from 20.20.20.20 to 10.1.1.100 (By internal process of the ASA), then once it is unstranslated, the route-lookup comes in game. Firewall notices that is on the same interface as the source of the packet so we reach our first impass. The ASA does not support same security traffic by default. So we overcome this issue with the following command:
same-security-traffic permit intra-interface
Now that is done, so we move to the next packet process, the ASA tries to check if there is any NAT translation for a packet coming from the DMZ and going to the same DMZ. As you can see there is a "nat (DMZ) 1 0.0.0.0 0.0.0.0", that tells the firewall that everything coming from the DMZ should be translated, we hit that NAT and since the outgoing interface is the same as the source interface (DMZ) there is no global command, hence you will see an error that states, No translation group found. Here is how we overcome that issue
Global (DMZ) 1 interface
This will translate requests from the DMZ interface going to that same interface to the DMZ IP address, on the server 10.1.1.100, the connection will be seeing as it came from the firewall, the packets will be sent to the firewall again, hence avoiding asymmetric routing.
If running version 8.3 or higher, the concept is the same, but the commands change a bit.
8.3
same-security-traffic permit intra-interface
object network Server_Public
host 20.20.20.20
object network Server_Private
host 10.1.1.100
object network Any
subnet 0.0.0.0 0.0.0.0
Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
So bottom line, configuration needed on 8.2
global (outside) 1 interface
same-security-traffic permit intra-interface
Configuration for 8.3
same-security-traffic permit intra-interface
object network Server_Public
host 20.20.20.20
object network Server_Private
host 10.1.1.100
object network Any
subnet 0.0.0.0 0.0.0.0
Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private
Hope this helps a bit.
Mike
05-11-2012 11:30 AM
Thanks for the detailed explanation Maykol, I'll try this, thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide