ASA virtual IP concept

lonelyadmin · ‎06-18-2019

Coming from a netscreen/junos background...

For allowing access to the inside from a DMZ IP I'd usually configure a VIP using an IP in the DMZ network that would map/nat to an IP on the inside interface and apply the appropriate acl/policies to that mapping. This would keep, somewhat, our internal IP schema from DMZ assets...less info is better, right?

I can't for the life of me figure out how to do this on the ASA. All the examples I find just do a typical NAT to where the DMZ server communicates directly with your internal IP.

It looks like to create any virtual IP you have to create a subinterface and then configure the NAT and ACLs to that. Is that how to do this on an ASA? It just didn't seem right to me.

ASA 5516X running 9.10

Thanks.

Marvin Rhoads · ‎06-18-2019

Try something like this 1-1 static NAT rule:

nat (inside,dmz) source static <original inside source IP> <original source ip> destination static <NAT address using an unused DMZ address> <NAT address using an unused DMZ address>

...and then allow access to the original source IP in an access-list that's applied inbound on the DMZ interface.

stownsend · ‎02-28-2021

What if the Inside IP is not on an Interface directly? I need to do something similar where I need to have a Public IP mapped to an IP Internally that is a Hop away from the ASA so the ASA does not have an interface in the Subnet. It can get to the Subnet and the AnyConnect Clients can. Just not sure how to NAT to an IP that is not Local to the ASA.

Thanks!

Marvin Rhoads · ‎02-28-2021

As long as the ASA has a route to the internal subnet (and vice versa), there's no issue NATting that way. In fact, that's more often than not the case with any ASA deployment that services more than a single internal subnet.