Hello Henrik,Thanks for your

networkwise · ‎05-25-2015

Hello,

Ive been trying to learn some more about NAT configuration on the ASA. I have a lab set up with an ASA and Im configuring Auto NAT object NAT (section2 of the NAT table). This question is really about configuring the direction (outside,dmz1) or (dmz1,outside) in the NAT statement

I'm configuring a static NAT connection from the outside to a DMZ server. The traffic flow or direction is from the outside interface to the dmz1 interface. If I configure object NAT as below in I can ping the DMZ1 server via the mapped static address 10.10.10.204 from a host on the outside. In my way of thinking the syntax appears backwards as the traffic flow is from the outside to DMZ1, however the cisco example Ive been working from shows to configure as below and it works, so this configuration must be bi directional outside-dmz1 and dmz1-outside.

ciscoasa# sh run object

!

object network vpcs4

host 10.10.4.10

object network static-nat-10.10.10.204

host 10.10.10.204

ciscoasa# sh nat

Auto NAT Policies (Section 2)

1 (dmz1) to (outside) source static vpcs4 10.10.10.204

translate_hits = 0, untranslate_hits = 6

2 (inside) to (outside) source dynamic 10-10-3-0 pat-pool-100-110

translate_hits = 0, untranslate_hits = 0

ciscoasa# sh run nat

!

object network vpcs4

nat (dmz1,outside) static 10.10.10.204

object network 10-10-3-0

nat (inside,outside) dynamic pat-pool-100-110

If I configure the auto object NAT as below (the reverse of above) which to me is more in line with the traffic flow from outside to dmz1 the same ping test from the outside to dmz1 fail, the firewall denies the connectivity. There's an ACL in place to permit traffic. Just wanted to know if its possible to configure the NAT statement (outside,dmz1) and have it work?

ciscoasa(config-network-object)# sh access-list

access-list outside-access-in line 1 extended permit ip any any log informational interval 300 (hitcnt=6) 0xe0ba389d

ciscoasa(config-network-object)# %ASA-3-106014: Deny inbound icmp src outside:10.10.1.10 dst outside:10.10.10.204 (type 8, code 0)

%ASA-3-106014: Deny inbound icmp src outside:10.10.1.10 dst outside:10.10.10.204 (type 8, code 0)

ciscoasa# sh run objectobject

network static-nat-10.10.10.204

host 10.10.10.204

object network vpcs4

host 10.10.4.10

ciscoasa(config-network-object)# sh nat

Auto NAT Policies (Section 2)

1 (outside) to (dmz1) source static static-nat-10.10.10.204 vpcs4

translate_hits = 0, untranslate_hits = 0

ciscoasa(config-network-object)# sh run nat

!

object network static-nat-10.10.10.204

nat (outside,dmz1) static vpcs4

Any guidance would be appreciated..

Andy

Henrik Grankvist · ‎05-25-2015

Hi

I would agree that in the beginning static NAT seems to be backwards.

For your questions in the second part you will need to do just as you did in the first part: Matching the source in the object and then translating it. You can't just switch the place out "outside" and "dmz1", it has to match where the traffic is coming from.

object network OUTSIDE-HOST_LOCAL
 host 10.10.10.210

object network OUTSIDE-HOST_GLOBAL
 host 10.10.1.10
 nat (outside,dmz1) static OUTSIDE-HOST_LOCAL

(I am assuming that the outside host's real address is 10.10.10.210 and that the inside subnet is 10.10.1.0/24)

networkwise · ‎05-25-2015

Hello Henrik,

Thanks for your response.

I think problem is me and my incorrect understanding of the syntax.

Im going to experiment some more here to see if I can get a better understanding.

Andy

ASA Auto Object Static NAT Question