Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2031
Views
0
Helpful
2
Replies

ASA 8.4 - host in DMZ access Internet

Go to solution
ROBERT MCCARTHY
Beginner
Beginner

‎10-04-2012 03:30 AM - edited ‎03-11-2019 05:04 PM

I have a very simple setup

I/F inside(100)  DMZ(50)  outside(0)

Inside hosts have NAT access to outside

DMZ host's have static nat and are  accessible from  outside  - www, dns queries etc

However:

Hosts in DMZ cannot access the internet.

packet-tracer  indicates that traffic routes via the inside i/f and is dropped !  the def route is Outside- see attached file.

I have attached the sho run NAT  and sho run route outputs. ( I can't seem to past text on here)

Any help appreciated

Thanks

Labels:
136242-packet-trace.txt.zip
136241-ASAconf.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
Mentor
Mentor

‎10-04-2012 04:14 AM

Hi,

This is probably due to NAT configurations as they can define the ingress/eggress interface in the new software

So from what I gather you have the following NAT configurations

  • Default PAT configuration for LAN and DMZ Internet traffic
  • A static NAT for a server
  • Some NAT configuration that you are using for DMZ <-> LAN traffic?
    • This is most likely the cause

I would do the configurations like this

Basic PAT

object-group network PAT-SOURCE-NETWORKS

description PAT source networks

network-object x.x.x.x y.y.y.y

network object a.a.a.a b.b.b.b

nat (any,Outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface

Where

  • x.x.x.x is the LAN network address
  • y.y.y.y is the LAN network mask
  • a.a.a.a is the DMZ network address
  • b.b.b.b is the DMS network mask

The above PAT configuration basicly does the following

  • The configured object-group defines the networks that will be using the "Outside" interface public IP address for PAT when connecting to the Internet
  • The source interface "any" means that source interface on the ASA can be any interface BUT as we configured the object-group to control the source addresses you have control over what gets PATed. And you dont need several NAT statements for many intefaces.
  • "after-auto" keeps the NAT rule at the bottom of the NAT rules

Static NAT

object network STATIC

host x.x.x.x

nat (Inside,Outside) static y.y.y.y dns

Where

  • STATIC is the object name
  • x.x.x.x is the local IP address
  • y.y.y.y is the public IP address

On a final note I would personally not do any NAT between your local ASA interfaces.

In the new 8.4 softwares you dont need NAT for traffic between your local interface. Any traffic that doesnt have NAT statements will go through the ASA unNATed. So your LAN network can connect to your DMZ with the DMZ actual IP address and so on.

The packet-tracer says that the following NAT rule is applied to the traffic you are testing

nat (Inside,DMZ) source static any any

To me it seems that this configuration is not needed.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
Mentor
Mentor

‎10-04-2012 04:14 AM

Hi,

This is probably due to NAT configurations as they can define the ingress/eggress interface in the new software

So from what I gather you have the following NAT configurations

  • Default PAT configuration for LAN and DMZ Internet traffic
  • A static NAT for a server
  • Some NAT configuration that you are using for DMZ <-> LAN traffic?
    • This is most likely the cause

I would do the configurations like this

Basic PAT

object-group network PAT-SOURCE-NETWORKS

description PAT source networks

network-object x.x.x.x y.y.y.y

network object a.a.a.a b.b.b.b

nat (any,Outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface

Where

  • x.x.x.x is the LAN network address
  • y.y.y.y is the LAN network mask
  • a.a.a.a is the DMZ network address
  • b.b.b.b is the DMS network mask

The above PAT configuration basicly does the following

  • The configured object-group defines the networks that will be using the "Outside" interface public IP address for PAT when connecting to the Internet
  • The source interface "any" means that source interface on the ASA can be any interface BUT as we configured the object-group to control the source addresses you have control over what gets PATed. And you dont need several NAT statements for many intefaces.
  • "after-auto" keeps the NAT rule at the bottom of the NAT rules

Static NAT

object network STATIC

host x.x.x.x

nat (Inside,Outside) static y.y.y.y dns

Where

  • STATIC is the object name
  • x.x.x.x is the local IP address
  • y.y.y.y is the public IP address

On a final note I would personally not do any NAT between your local ASA interfaces.

In the new 8.4 softwares you dont need NAT for traffic between your local interface. Any traffic that doesnt have NAT statements will go through the ASA unNATed. So your LAN network can connect to your DMZ with the DMZ actual IP address and so on.

The packet-tracer says that the following NAT rule is applied to the traffic you are testing

nat (Inside,DMZ) source static any any

To me it seems that this configuration is not needed.

- Jouni

0 Helpful

Go to solution
ROBERT MCCARTHY
Beginner
Beginner
In response to Jouni Forss

‎10-04-2012 04:57 AM

Jouni

Thanks -  that worked a treat !

Bob

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents