11-01-2019 08:59 PM - edited 11-01-2019 09:00 PM
I have questions about basic static NAT configuration.
I have a host inside a DMZ and I want an outside host to be able to reach it.
I understand this is a typical scenario in which static NAT would be used, such as if you had a server in a DMZ that outside hosts need to access.
I'm using the following configuration:
object network WEB-OUTSIDE
host 192.168.122.122
object network WEB-INSIDE
host 11.1.1.2
nat (dmz,outside) static WEB-OUTSIDE
The 11.1.1.2 host in the host in the DMZ. I've set it to NAT to 192.168.122.122, which I'm using to represent a global IP address for lab purposes.
The outside host is 192.168.122.196 /24, and is directly connected, through a layer 2 switch, to the ASA outside interface.
The ASA outside interface is 192.168.122.121 /24.
My basic questions are:
1. Is it correct, as I have done, to assign the global IP address of 192.168.122.122, which is not assigned to any host or interface, as the mapped address in the NAT configuration? Or am I supposed to use the outside interface address on the ASA, which is 192.168.122.121? I'm assuming since it is a server it should get it's on global IP address, and that this global IP address should not need to be assigned to any interface at all.
2. When I ping from the host on the outside Network to the host in the DMZ, am I supposed to ping the global IP address, 192.168.122.122, or the real IP address, 11.1.1.2? I'm using the latest ASAv image. It makes sense to me to use the global IP address, but want to confirm my understanding.
3. Is this NAT configuration sufficient, or does there need to be another NAT statement to let traffic go the other way?
11-01-2019 10:09 PM
Your NAT setup is correct. You don't need a separate statement for the reverse direction.
In addition to NAT you need an access control list (ACL) entry to permit the traffic initiated from the outside to reach the inside.
Also, using ping to test isn't generally recommended since ASAs don't, by default, inspect icmp messages. Instead use an actual connectivity check like opening a web page on your server. That will use tcp/80 (or 443 for https) and be more representative of what you actually want (and you should allow only the required protocol and port(s) in your ACL).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide