Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
167
Views
0
Helpful
1
Replies

ASA 5510 & NAT with DMZ

louis0001
Level 3
Level 3

‎05-29-2016 04:50 AM - edited ‎03-12-2019 12:48 AM

Hi,

bear with me on this one.

I have 5 interfaces:

E0/0 = Outside (sec level 0) Internet
E0/1 = corp network (sec level 100)  10.1.1.0/24
E0/2.100 = connection to another remote site (sec level 100) 192.168.100.1/24
E0/2.200 = DMZ 1 (sec level 50) 10.1.50.0/24
E0/2.300 = DMZ 2 (sec level 60) 10.1.60.0/24

I have ticked "allow sub interfaces on the same interface allowed to communicate with each other" and "interfaces with same security level allowed to communicate with each other"

I'm aware that higher security levels can communicate with lower security levels by default. So I've set some access rules up so:
E0/1 Corp can talk to E0/2/200 DMZ 1 & E0/1.300 DMZ 2
E0/2.100 can also do the above

E0/2.200 DMZ 1 can talk to the higher security levels because of access rules on certain ports
E0/2.300 DMZ 2 can talk to DMZ 1 can talk to DMZ 2 because of access rules on certain ports.

I have numerous servers on both DMZ's which are using different service ports eg DMZ 1 has http server 1 on port 80, http server 2 on port 81 etc
I have only one ip address on E0/2.100 192.168.100.1

I assume I would now have to use PAT to go the two http servers from E0/2.100 to E0/2.200 so somebody coming into 192.168.100.1:80 would go to http server 1 and 192.168.100.1:81 would go to http server 2. Would I have to create a dynamic rule outwards so the http 1 & 2 servers could communicate outwards to E0/2.100 or would the static PAT rule suffice?

Labels:
0 Helpful
1 Reply 1

Paul Chapman
Level 4
Level 4

‎05-29-2016 09:55 AM

Hi -

It depends on what ASA OS version you are running and what your end goals are.  Do you want to hide the server addresses from remote site connected on E0/2.100?  If no, does the remote site have routes pointed at the e0/2.100 interface for server subnets?

If you want to hide the server addresses, then you will have to use 1-to-1 PAT to perform the translation (regardless of OS version).

If you don't want to hide the server addresses and routing is in place, then we need to identify which ASA OS you are running.  In 8.2 and below, you would have to create identity NATs which would translate the server IPs to themselves (i.e. 10.1.50.44 translates to 10.1.50.44).  In 8.3 and above, the concept of "NAT Control" is removed, so no NATs are required, though you can still create them.

The tickbox for "interfaces with same security level allowed to communicate with each other" only permits traffic if there are no rules in place.  Once you create an access list for the interface, the traffic will abide and not bypass the ACL.  It is generally not recommended to use that tickbox unless you know exactly why you are using it.  It is recommended that you set up explicit ACLs to permit the traffic you want.

PSC

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card