Solved: ASA NAT inside and DMZ with one public IP

MrBeginner · ‎07-08-2020

Hi ,

I try to configure to setup NAT with ASA firewall.

i would like to do below design.All outgoing traffic of web server,server2 (app network)and PC network are doing nat with outside interface(10.1.14.70) for outgoing traffic. i also want to do NAT to access web-server (172.16.20.10) from outside network .

i want to use same outside interface or IP for NAT.

When i configure NAT for incoming traffic to web server using nat (inside,outside) static 10.1.14.70 ,i always got nat overlaps errors.

mapped-address 10.1.14.71/80-0 overlaps with existing static NAT

So i changed to interface command.

After that i can access my web server from outside and my web server can go outside. But now I got the error in APP network and PC network cannot go outside.

Please let me know how to solve .

can i do one public as both NAT for incoming and outgoing traffic ?

Please see the my final tested config.IP address is different with below diagram.

interface GigabitEthernet0/0
description outside-net
nameif outside
security-level 0
ip address 10.1.14.70 255.255.255.0
!
interface GigabitEthernet0/1
description inside
nameif inside
security-level 100
ip address 172.16.20.1 255.255.255.224
!
interface GigabitEthernet0/2
description app-net
nameif app
security-level 50 ip address 172.16.20.33 255.255.255.224 !

ftp mode passive
object network web-server
host 172.16.20.10
object network app-servers
subnet 172.16.20.32 255.255.255.224
access-list out standard permit any4
access-list outside-access extended permit ip any any
access-list app_access_in extended permit ip any any
access-list app-access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
mtu app 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network web-server
nat (inside,outside) static interface
!
nat (app,outside) after-auto source dynamic any interface
access-group outside-access in interface outside
access-group app-access in interface app

Marius Gunnerud · ‎07-10-2020

I would like to know there is no limitation to use dynamic(pat) and static Nat?

This depends on what you mean by limitation. You cannot have two NAT statements for the same outside port. For example. If webserver and server2 are to both use port TCP/80 with the same public/outside IP, this is not possible. One of the servers would need to either use a different port associated with the public IP (for example TCP/8080) or one of the servers would need a seperate public / outside IP.

when i do your advise i can access to my webserver but my web server cannot access to outside network

You did not post the configuration you tried. For access to the internet all PCs use a random high source port, so if you do not include a seperate dynamic NAT for the inside interface, this server will not have access to the interent. For example, you would also need the following configuration:

object network inside_LAN

subnet 172.16.20.0 255.255.255.224

nat (inside,outside) dynamic interface

if it is yes,how should I do if I want static Nat with below service group?

You will need to create a service object for each of those entries and then create seperate NAT statements for each of them.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎07-08-2020

This is easy enough to do.

You haven't provided interface names for the interface for "Other PCs".

1. create seperate network objects for the subnets 10.16.20.0/27, 10.16.20.32/27 and 10.16.10.0/24

2. create NAT dynamic NAT statements for each of these within object NAT (NAT Section 2)

3. create seperate network object for the web server and one for server2

4. create static NAT for each of these translating port TCP80 for the web server and whatever port you require for server2.

5. create access rules on the outside interface for the traffic towards the web server and server2 with destination of the private IP of the servers.

--
Please remember to select a correct answer and rate helpful posts

MrBeginner · ‎07-08-2020

hi,

I haven't name for PC's network because I get the error in inside network and app network.
1 to 3 is I can do .But 5 to 6 is I got the error and can you help the sample?

When i create dynamic nat with interface ,it is ok but i cannot create static nat to web server,i can not use static nat with outside interface,it show ip overlap

MrBeginner · ‎07-08-2020

Hi,

I tried dynamic nat for outgoing traffic and static nat for incoming. But static nat need extra public ip 10.1.14.71.i cannot use real existing public ip 10.1.14.70 of outside interface. If i use existing public ip of outside interface,i got nat overlaping issue. another error is i cannot ping from web server to app network and app net to webserver even though i add acl rule any any.

So i would like to know it is asa limitation or configuration error?

Marius Gunnerud · ‎07-09-2020

The reason is, as I tried to mention in my post above, is that you need to specify the ports in the NAT statment and not NAT the whole port range to the webserver.

object network webserver
host 172.16.20.10

nat (inside,outside) static interface service tcp www www

This NATs 172.16.20.10 to the outside interface for port TCP/80. It is also possible to NAT, for example, port TCP/8080 on the outside to port TCP/80 on the inside.

Be sure to keep in mind that you must use the interface keyword when NATing to the IP of the translated interface, in this case outside interface.

--
Please remember to select a correct answer and rate helpful posts

MrBeginner · ‎07-09-2020

Hi,

I would like to know there is no limitation to use dynamic(pat) and static Nat?

when i do your advise i can access to my webserver but my web server cannot access to outside network .
it is depend on service ? if it is yes,how should I do if I want static Nat with below service group?

object-group service GATEWAY-SERVICES

service-object tcp eq 88

service-object tcp eq 135

service-object tcp eq 445

service-object tcp eq ldaps

service-object tcp eq 3268

service-object tcp eq 3269

service-object tcp eq 53

service-object udp eq 53

service-object tcp eq 389

service-object udp eq 389

service-object tcp eq 464

service-object udp eq 464

service-object tcp range 49152 65535

service-object udp eq 49152 65535

Marius Gunnerud · ‎07-10-2020

I would like to know there is no limitation to use dynamic(pat) and static Nat?

This depends on what you mean by limitation. You cannot have two NAT statements for the same outside port. For example. If webserver and server2 are to both use port TCP/80 with the same public/outside IP, this is not possible. One of the servers would need to either use a different port associated with the public IP (for example TCP/8080) or one of the servers would need a seperate public / outside IP.

when i do your advise i can access to my webserver but my web server cannot access to outside network

You did not post the configuration you tried. For access to the internet all PCs use a random high source port, so if you do not include a seperate dynamic NAT for the inside interface, this server will not have access to the interent. For example, you would also need the following configuration:

object network inside_LAN

subnet 172.16.20.0 255.255.255.224

nat (inside,outside) dynamic interface

if it is yes,how should I do if I want static Nat with below service group?

You will need to create a service object for each of those entries and then create seperate NAT statements for each of them.

--
Please remember to select a correct answer and rate helpful posts