Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
981
Views
0
Helpful
7
Replies

ASA pre 8.3 NAT

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎10-13-2015 07:00 AM - edited ‎03-11-2019 11:44 PM

Hi Team,

I have 3 interfaces on ASA, guest, outside and DMZ.

The guest is trying to browse to xyz.com, which resolves to a proxy arp address on the outside interface. There is a static NAT for this address to a host in the DMZ.

I want to translate the destination address - from the guest network, to this host in the DMZ, going to the outside public IP, translate the destination to the DMZ address.

Thank you

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-13-2015 10:21 AM

Hi Bilal,

Please use the link below. this is a DNS doctoring scenario. :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html#anc11

 

Regards,

Akshay Rastogi

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Bilal Nawaz

‎10-14-2015 05:13 AM

So you need -

1) to have "same-security-traffic permit inter-interface" in your configuration

2) you may well need these NAT statements -

nat (guest,DMZ-2) 10.211.252.123 10.211.252.253 netmask 255.255.255.255
nat (DMZ-2,guest) 10.211.244.120 10.211.244.120 netmask 255.255.255.255

then as long as you are allowing traffic from guest to DMZ-2 the acl applied on the DMZ-2 interface should not come into it.

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-13-2015 10:21 AM

Hi Bilal,

Please use the link below. this is a DNS doctoring scenario. :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html#anc11

 

Regards,

Akshay Rastogi

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Akshay Rastogi

‎10-14-2015 04:13 AM

Hi Akshay, I can see my client is now trying to get to the real ip address of the server. But i'm is still not able to http to it.

I have created an ACL allowing this traffic to the real ip address of the server from the DMZ and not seeing any hits.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Bilal Nawaz

‎10-14-2015 04:20 AM

Bilal

What firewall model ?

What security levels on the interfaces ?

Jon

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎10-14-2015 04:48 AM

Hi Jon,

It's a 5585X on version 8.2(5)57.

 

Guest and DMZ security level is 50. Outside is 0, inside is 100.

ASA interfaces

Guest (DMZ-6) - 10.211.252.121/29

DMZ (DMZ-2) - 10.211.244.113/28

Outside - XXX.XXX.XXX.XXX

 

Client is 10.211.252.123

DMZ server IP is 10.211.244.120 -> X.X.X.X Static NAT to address on outside subnet

 

Client resolves xyz.com ASA intercepts and returns back 10.211.244.120. I see SYN from my client to this address when i try to browse and then retransmits follow.

 

On the DMZ interface I have applied this:

access-list DMZ-6 line 2 extended permit tcp any host 10.211.244.120 eq www (hitcnt=0) 0x2f60303a

and for NAT i have applied this

static (DMZ-2,outside) xxx.xxx.xxx.xxx 10.211.244.120 netmask 255.255.255.255 dns

Thank you

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Bilal Nawaz

‎10-14-2015 05:13 AM

So you need -

1) to have "same-security-traffic permit inter-interface" in your configuration

2) you may well need these NAT statements -

nat (guest,DMZ-2) 10.211.252.123 10.211.252.253 netmask 255.255.255.255
nat (DMZ-2,guest) 10.211.244.120 10.211.244.120 netmask 255.255.255.255

then as long as you are allowing traffic from guest to DMZ-2 the acl applied on the DMZ-2 interface should not come into it.

Jon

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎10-14-2015 05:15 AM

Thanks to you both!

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Bilal Nawaz

‎10-14-2015 05:43 AM

Bilal

Just to clarify, with that configuration traffic can be initiated from either the guest vlan or the DMZ vlan which may or may not be what you want.

But that is because you have the same security levels on both interfaces.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card