04-12-2013 08:22 AM - edited 03-11-2019 06:27 PM
I have ASA Version 8.0(5) and its configure nat-control
But sometimes i confuse with the a lot of infomacion of how configure a dmz that i found on the web.
So i wrote the configuracion i want to use, and i really appreciate your advise. for example if i hace to change or add some parameters .
As you will read i separated the configuracion by traffic.
This is the configuration i want to implement on the firewall
Trafic from inside to dmz: i just want thar form inside i can access to specific servers
access-list INSIDE extended permit tcp host 10.117.210.55 host 192.168.69.11 object-group PUERTOS-OWA
access-list INSIDE extended permit tcp host 10.117.210.56 host 192.168.69.11 object-group PUERTOS-OWA
access-list NO-NAT-0 extended permit ip host 10.117.210.56 host 192.168.69.11
access-list NO-NAT-0 extended permit ip host 10.117.210.55 host 192.168.69.11
ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 host 10.117.210.56 object-group PUERTOS-OWA
ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 host 10.117.210.55 object-group PUERTOS-OWA
nat (inside) 0 access-list NO-NAT-0
accces-group in interface inside
***************************************************************************************
Traffic from outside to dmz
Regards..
Solved! Go to Solution.
04-12-2013 10:13 AM
Hi,
The idea of the configuration I mentioned is to simply make sure that NO NAT is done between the 2 local networks you have. And as you say you could now just use the interface ACLs to control which traffic should pass the interface ACL to the other network.
As for the linked example,
I dont really understand why would I for example want to NAT my local network addresses. To me it seems just as something that isnt needed and which would result in more complexity to the network. I am not sure what the purpose of the NAT is in the documents situation. Maybe its just an example of the Static NAT configuration but I dont see to NAT the IP address from the INSIDE to DMZ in that situation. Then again I havent read the whole document through.
EDIT: I guess the point of the Static NAT configuration in the document is that "nat-control" is enabled and therefore every connection going through the firewall requires a NAT configuration. So you would for example need a "static" statement between your local interfaces/networks for the traffic to be allowed through.
How you configure your setup is naturally up to you.
You can use the NAT0 configuration between the whole networks and control the traffic with ACLs.
You have also the option to configure Identity NAT which would enable the networks to form connection using the original IP addressing
That configuration would probably look something like this
static (inside,dmz-owa) 10.117.210.0 10.117.210.0 netmask 255.255.255.0
- Jouni
Message was edited by: Jouni Forss
04-12-2013 08:58 AM
Hi,
Just a couple of quick questions for a start.
Atleast one thing that stands out in the above configuration is that on the "dmz-owa" interface you have actually attached the NAT0 ACL as the interface ACL instead of the other ACL created to be the interface ACL, atleast this is what I assume.
- Jouni
04-12-2013 09:15 AM
HI, dmz-owa is a new interface that want to configure.
DMZ servers receive incoming traffic from the outside.
those same dmz-servers need to communicate with some servers on the internal network.
I would like to know which is correct and safe way not to compromise internal servers.
04-12-2013 09:26 AM
Hi,
I am just wondering about the NAT part of your setup. I personally try to keep the NAT setup as simple as possible.
If you for example wanted to configure NAT0 for all traffic between the "inside" and "dmz-owa" I would do it in the following way
NAT0 Configurations for INSIDE and DMZ-OWA
access-list INSIDE-NAT0 remark NO NAT for INSIDE to DMZ-OWA Traffic
access-list INSIDE-NAT0 permit ip 10.117.210.0 255.255.255.0 192.168.69.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
access-list DMZ-OWA-NAT0 remark NO NAT for DMZ-OWA to INSIDE Traffic
access-list DMZ-OWA-NAT0 permit ip 192.168.69.0 255.255.255.0 10.117.210.0 255.255.255.0
nat (dmz-owa) 0 access-list DMZ-OWA-NAT0
This would make it so that both networks could reach eachother with their original IP addresses.
You would still the ACLs you mention to control what traffic is allowed on the firewall interfaces.
I dont think there is anything wrong with the above configurations but I would just consider doing the NAT0 configuration more broadly by doing it for the whole networks and leaving the traffic controlling to the interface ACLs instead of NAT / nat-control
But if the above NAT0 configuration is possible naturally depends also on the existing configurations on the firewall which I have not seen.
- Jouni
04-12-2013 09:57 AM
thanks for your help ,
i read on a link that if i want to pass traffic from lower security level to a high security level i have to use static nat if i use nat-control. and if i not use nat-control i just have to use acclist. it is correct what i read? can you explain me that?
by the other hand what you told me that is correct the configuration that i want to do but will be better if i do this change in the acl:
Trafic from inside to dmz:
access-list INSIDE extended permit tcp host 10.117.210.55 host 192.168.69.11 object-group PUERTOS-OWA
access-list INSIDE extended permit tcp host 10.117.210.56 host 192.168.69.11 object-group PUERTOS-OWA
access-list INSIDE-NAT0 remark NO NAT for INSIDE to DMZ-OWA Traffic
access-list INSIDE-NAT0 permit ip 10.117.210.0 255.255.255.0 192.168.69.0 255.255.255.0
Trafic from dmz to inside
ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 host 10.117.210.61 EQ 53
ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 host 10.117.210.62 EQ 53
ACCESS-LIST DMZ EX PERMIT TCP HOST 192.168.69.11 HOST 10.117.210.44 EQ 123
ACCESS-LIST DMZ EX PERMIT UDP HOST 192.168.69.11 HOST 10.117.210.44 EQ 123
access-list DMZ-OWA-NAT0 remark NO NAT for DMZ-OWA to INSIDE Traffic
access-list DMZ-OWA-NAT0 permit ip 192.168.69.0 255.255.255.0 10.117.210.0 255.255.255.0
and with the access-list that are applied on the interface i control what servers could enter , so if i want in the future add a new server i just have to add a new accls on the ACL applied in the interface. is correct?
i just wondering something else that i found on the web.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml
in the part that show the example of dmz to inside i dont understand why in the configuration used in the stactic configuration the ip 192.168.2.20
if the ip of the dmz-server is 192.168.1.10 , i think that should be
static (inside,DMZ)192.168.1.10 172.20.1.5 netmask 255.255.255.255 and replace the ip 192.168.2.20 for 192.168.1.10 in the acces-list. but if i am wrong please explainn to me.
Thanks for all your help.
04-12-2013 10:13 AM
Hi,
The idea of the configuration I mentioned is to simply make sure that NO NAT is done between the 2 local networks you have. And as you say you could now just use the interface ACLs to control which traffic should pass the interface ACL to the other network.
As for the linked example,
I dont really understand why would I for example want to NAT my local network addresses. To me it seems just as something that isnt needed and which would result in more complexity to the network. I am not sure what the purpose of the NAT is in the documents situation. Maybe its just an example of the Static NAT configuration but I dont see to NAT the IP address from the INSIDE to DMZ in that situation. Then again I havent read the whole document through.
EDIT: I guess the point of the Static NAT configuration in the document is that "nat-control" is enabled and therefore every connection going through the firewall requires a NAT configuration. So you would for example need a "static" statement between your local interfaces/networks for the traffic to be allowed through.
How you configure your setup is naturally up to you.
You can use the NAT0 configuration between the whole networks and control the traffic with ACLs.
You have also the option to configure Identity NAT which would enable the networks to form connection using the original IP addressing
That configuration would probably look something like this
static (inside,dmz-owa) 10.117.210.0 10.117.210.0 netmask 255.255.255.0
- Jouni
Message was edited by: Jouni Forss
04-12-2013 10:18 AM
thank you very much, i appreciate your assistance.
there is no confuse know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide