Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
5
Helpful
3
Replies

ASA Static NAT Question

Go to solution
CS5n531abu
Level 1
Level 1

‎05-01-2013 08:33 AM - edited ‎03-11-2019 06:37 PM

My inside network (with only one host at the moment) is being Dynamically PATed to reach my Border router. This is good because my inside hosts do not need to waste public IP addresses.

However, I'd like servers in my DMZ to have public IP addresses so users on the Internet can access them. I have 10 public addresses to work with so I intend to set these servers up with said addresses 1:1, SNAT.

What I don't understand is how I can set SNAT up on my ASA to pass my DMZ traffic through to my Border router. If a server in the DMZ, let's say my MAIL server (10.1.4.3) gets a public address at the ASA via SNAT (172.16.68.191), how can the ASA pass these packets to the Border on the 10.1.1.0 network?

Again, I'm looking to give my DMZ servers public addresses so they can send/receive traffic out to the Internet, but am lost on how the multitude of translations can carry out. Would I somehow SNAT on the Border router? Thanks!

*I am aware that 172.16.68.191 is not a public address and am using the address for lab purposes*

topology.jpg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to CS5n531abu

‎05-01-2013 10:13 AM

Hi,

To be honest if I was in the situation where I would simply have to settle for configuring public NAT configurations on the Router then I would leave out ALL the NAT configurations on the ASA. There would really be no need for them as the Router as already doing the most important ones towards the Internet.

Though if you remove all NAT configurations you will have to make sure that the router has a route for all the networks behind ASA. So the router would have to have a route pointing for MGMT, DMZ and INSIDE networks towards the ASA "outside" interface IP address.

Though this would naturally make the ASA configuration really simple

As you say, it would be pretty redundant to have Static NAT configured twice for the hosts.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-01-2013 08:40 AM

Hi,

The ideal situation is ofcourse that your actual Public Subnet/network is located directly between the ISP and the ASA.

Now the public network in your lab is not connected to the ASA "outside" interface.

So if you already have the public subnet on the Internet router towards the ISP, then you cant use those IP addresses on the ASA for Static NAT purposes.

It would seem to me that in this kind of setup the router would be doing the Static NAT as it holds the public subnet.

In some typical situations where we provide a router to a customer who has his own ASA firewall, we do the following

  • We configure a small /30 public subnet between ISP and ISP Router
  • The ISP Router LAN interface has the customer public subnet
  • The ISP Router LAN interface is connected to the ASA
  • The ASA can therefore use the public subnet for Static NAT purposes for example

To be honest I prefer doing all the NAT configurations on the ASA rather than router in front of it.

But in your current lab it would seem to me that you have to either do the private to public Static NAT on the router or change the setup so that the public subnet is located directly between your ASA and the ISP router.

- Jouni

Go to solution
CS5n531abu
Level 1
Level 1
In response to Jouni Forss

‎05-01-2013 08:56 AM

To prevent altering my current topology's extensive set of rules/routes/ect, I'm going to attempt to continue with the ISP's issued public address on the outside interface of my Border router. Still, I do understand the inherent ease of having this address assigned to the outside interface of the ASA.

Assuming SNAT would be configured on the Border, how does this sound for a solution:

     -Create a SNAT entry for each server on my DMZ in the ASA that translates to a special 10.1.1.0 address. Example: MAIL server (10.1.4.3) gets SNATed to 10.1.1.20.

     -SNAT again on my Border to translate 10.1.1.20 to public address 172.16.68.191

A bit redundant having 2 SNAT rules for this, but I think this could solve my original question given my current topology.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to CS5n531abu

‎05-01-2013 10:13 AM

Hi,

To be honest if I was in the situation where I would simply have to settle for configuring public NAT configurations on the Router then I would leave out ALL the NAT configurations on the ASA. There would really be no need for them as the Router as already doing the most important ones towards the Internet.

Though if you remove all NAT configurations you will have to make sure that the router has a route for all the networks behind ASA. So the router would have to have a route pointing for MGMT, DMZ and INSIDE networks towards the ASA "outside" interface IP address.

Though this would naturally make the ASA configuration really simple

As you say, it would be pretty redundant to have Static NAT configured twice for the hosts.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card