cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1137
Views
0
Helpful
7
Replies

ASA pre 8.3 NAT

Bilal Nawaz
VIP Alumni
VIP Alumni

Hi Team,

I have 3 interfaces on ASA, guest, outside and DMZ.

The guest is trying to browse to xyz.com, which resolves to a proxy arp address on the outside interface. There is a static NAT for this address to a host in the DMZ.

I want to translate the destination address - from the guest network, to this host in the DMZ, going to the outside public IP, translate the destination to the DMZ address.

Thank you

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
2 Accepted Solutions

Accepted Solutions

Akshay Rastogi
Cisco Employee
Cisco Employee

Hi Bilal,

Please use the link below. this is a DNS doctoring scenario. :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html#anc11

 

Regards,

Akshay Rastogi

View solution in original post

So you need -

1) to have "same-security-traffic permit inter-interface" in your configuration

2) you may well need these NAT statements -

nat (guest,DMZ-2) 10.211.252.123 10.211.252.253 netmask 255.255.255.255
nat (DMZ-2,guest) 10.211.244.120 10.211.244.120 netmask 255.255.255.255

then as long as you are allowing traffic from guest to DMZ-2 the acl applied on the DMZ-2 interface should not come into it.

Jon

View solution in original post

7 Replies 7

Akshay Rastogi
Cisco Employee
Cisco Employee

Hi Bilal,

Please use the link below. this is a DNS doctoring scenario. :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html#anc11

 

Regards,

Akshay Rastogi

Hi Akshay, I can see my client is now trying to get to the real ip address of the server. But i'm is still not able to http to it.

I have created an ACL allowing this traffic to the real ip address of the server from the DMZ and not seeing any hits.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Bilal

What firewall model ?

What security levels on the interfaces ?

Jon

Hi Jon,

It's a 5585X on version 8.2(5)57.

 

Guest and DMZ security level is 50. Outside is 0, inside is 100.

ASA interfaces

Guest (DMZ-6) - 10.211.252.121/29

DMZ (DMZ-2) - 10.211.244.113/28

Outside - XXX.XXX.XXX.XXX

 

Client is 10.211.252.123

DMZ server IP is 10.211.244.120 -> X.X.X.X Static NAT to address on outside subnet

 

Client resolves xyz.com ASA intercepts and returns back 10.211.244.120. I see SYN from my client to this address when i try to browse and then retransmits follow.

 

On the DMZ interface I have applied this:

access-list DMZ-6 line 2 extended permit tcp any host 10.211.244.120 eq www (hitcnt=0) 0x2f60303a

and for NAT i have applied this

static (DMZ-2,outside) xxx.xxx.xxx.xxx 10.211.244.120 netmask 255.255.255.255 dns

Thank you

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

So you need -

1) to have "same-security-traffic permit inter-interface" in your configuration

2) you may well need these NAT statements -

nat (guest,DMZ-2) 10.211.252.123 10.211.252.253 netmask 255.255.255.255
nat (DMZ-2,guest) 10.211.244.120 10.211.244.120 netmask 255.255.255.255

then as long as you are allowing traffic from guest to DMZ-2 the acl applied on the DMZ-2 interface should not come into it.

Jon

Thanks to you both!

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Bilal

Just to clarify, with that configuration traffic can be initiated from either the guest vlan or the DMZ vlan which may or may not be what you want.

But that is because you have the same security levels on both interfaces.

Jon

Review Cisco Networking for a $25 gift card