cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1197
Views
0
Helpful
1
Replies

Basic questions about ASA static NAT configuration

Waterbird
Level 1
Level 1

I have questions about basic static NAT configuration. 

 

I have a host inside a DMZ and I want an outside host to be able to reach it.

 

I understand this is a typical scenario in which static NAT would be used, such as if you had a server in a DMZ that outside hosts need to access.  

 

I'm using the following configuration:

 

object network WEB-OUTSIDE 
   host 192.168.122.122  

object network WEB-INSIDE 

   host 11.1.1.2 

   nat (dmz,outside) static WEB-OUTSIDE 

 

The 11.1.1.2 host in the host in the DMZ.  I've set it to NAT to 192.168.122.122, which I'm using to represent a global IP  address for lab purposes. 

 

The outside host is 192.168.122.196 /24, and is directly connected, through a layer 2 switch, to the ASA outside interface.

 

The ASA outside interface is 192.168.122.121 /24.

 

My basic questions are:

1.  Is it correct, as I have done, to assign the global IP address of 192.168.122.122, which is not assigned to any host or interface, as the mapped address in the NAT configuration?  Or am I supposed to use the outside interface address on the ASA, which is 192.168.122.121?  I'm assuming since it is a server it should get it's on global IP address, and that this global IP address should not need to be assigned to any interface at all.

 

2. When I ping from the host on the outside Network to the host in the DMZ, am I supposed to ping the global IP address, 192.168.122.122, or the real IP address, 11.1.1.2?  I'm using the latest ASAv image.  It makes sense to me to use the global IP address, but want to confirm my understanding.

 

3.  Is this NAT configuration sufficient, or does there need to be another NAT statement to let traffic go the other way?  

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

Your NAT setup is correct. You don't need a separate statement for the reverse direction.

In addition to NAT you need an access control list (ACL) entry to permit the traffic initiated from the outside to reach the inside.

Also, using ping to test isn't generally recommended since ASAs don't, by default, inspect icmp messages. Instead use an actual connectivity check like opening a web page on your server. That will use tcp/80 (or 443 for https) and be more representative of what you actually want (and you should allow only the required protocol and port(s) in your ACL).

Review Cisco Networking for a $25 gift card