05-25-2015 08:38 AM - edited 03-11-2019 10:59 PM
Hello,
Ive been trying to learn some more about NAT configuration on the ASA. I have a lab set up with an ASA and Im configuring Auto NAT object NAT (section2 of the NAT table). This question is really about configuring the direction (outside,dmz1) or (dmz1,outside) in the NAT statement
I'm configuring a static NAT connection from the outside to a DMZ server. The traffic flow or direction is from the outside interface to the dmz1 interface. If I configure object NAT as below in I can ping the DMZ1 server via the mapped static address 10.10.10.204 from a host on the outside. In my way of thinking the syntax appears backwards as the traffic flow is from the outside to DMZ1, however the cisco example Ive been working from shows to configure as below and it works, so this configuration must be bi directional outside-dmz1 and dmz1-outside.
ciscoasa# sh run object
!
object network vpcs4
host 10.10.4.10
object network static-nat-10.10.10.204
host 10.10.10.204
ciscoasa# sh nat
Auto NAT Policies (Section 2)
1 (dmz1) to (outside) source static vpcs4 10.10.10.204
translate_hits = 0, untranslate_hits = 6
2 (inside) to (outside) source dynamic 10-10-3-0 pat-pool-100-110
translate_hits = 0, untranslate_hits = 0
ciscoasa# sh run nat
!
object network vpcs4
nat (dmz1,outside) static 10.10.10.204
object network 10-10-3-0
nat (inside,outside) dynamic pat-pool-100-110
If I configure the auto object NAT as below (the reverse of above) which to me is more in line with the traffic flow from outside to dmz1 the same ping test from the outside to dmz1 fail, the firewall denies the connectivity. There's an ACL in place to permit traffic. Just wanted to know if its possible to configure the NAT statement (outside,dmz1) and have it work?
ciscoasa(config-network-object)# sh access-list
access-list outside-access-in line 1 extended permit ip any any log informational interval 300 (hitcnt=6) 0xe0ba389d
ciscoasa(config-network-object)# %ASA-3-106014: Deny inbound icmp src outside:10.10.1.10 dst outside:10.10.10.204 (type 8, code 0)
%ASA-3-106014: Deny inbound icmp src outside:10.10.1.10 dst outside:10.10.10.204 (type 8, code 0)
%ASA-3-106014: Deny inbound icmp src outside:10.10.1.10 dst outside:10.10.10.204 (type 8, code 0)
%ASA-3-106014: Deny inbound icmp src outside:10.10.1.10 dst outside:10.10.10.204 (type 8, code 0)
ciscoasa# sh run objectobject
network static-nat-10.10.10.204
host 10.10.10.204
object network vpcs4
host 10.10.4.10
ciscoasa(config-network-object)# sh nat
Auto NAT Policies (Section 2)
1 (outside) to (dmz1) source static static-nat-10.10.10.204 vpcs4
translate_hits = 0, untranslate_hits = 0
ciscoasa(config-network-object)# sh run nat
!
object network static-nat-10.10.10.204
nat (outside,dmz1) static vpcs4
Any guidance would be appreciated..
Andy
05-25-2015 09:58 AM
Hi
I would agree that in the beginning static NAT seems to be backwards.
For your questions in the second part you will need to do just as you did in the first part: Matching the source in the object and then translating it. You can't just switch the place out "outside" and "dmz1", it has to match where the traffic is coming from.
object network OUTSIDE-HOST_LOCAL host 10.10.10.210 object network OUTSIDE-HOST_GLOBAL host 10.10.1.10 nat (outside,dmz1) static OUTSIDE-HOST_LOCAL
(I am assuming that the outside host's real address is 10.10.10.210 and that the inside subnet is 10.10.1.0/24)
05-25-2015 02:30 PM
Hello Henrik,
Thanks for your response.
I think problem is me and my incorrect understanding of the syntax.
Im going to experiment some more here to see if I can get a better understanding.
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide