Solved: For dynamic nat, it's better - Page 2

Rowlands Price · ‎06-07-2017

Hi Support,

I have a litte issue

I have a Cisco ASA 5525-x using version 8.6 (1)

My issue is that i cannot configure nat to allow users from Internet to access servers located on dmz1 and dmz4

The nat should use the outside ip interface.

outside ip: 172.16.1.1 (for testing)

dmz1; server ip: 192.168.46.15, ports must be used: https and 8080

Dmz4: server ip 192.168.35.2, port must be used: tcp 7909, 7910 and 7911

All servers from dmz must access internet.

Can you please help me regarding nat configuration?

Attached is my diagram

Francesco Molino · ‎06-08-2017

Ok now this is clear.

Remove the nat:

No nat (dmz-egov,outside) source dynamic dmz-egov_network interface

And replace by :

nat (dmz-egov,outside) after-auto source dynamic dmz-egov_network interface

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-08-2017

Hi Francesco,

It's working fine NOW

Many Thanks

That means, i will need to apply the same nat for all interfaces? (inside and dmz-etax)?

regards

Francesco Molino · ‎06-08-2017

For dynamic nat, it's better doing that way then you're sure it'll be the last statement will hit and no overlap with specific nats.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-08-2017

Ok, but what about others interfaces to go to internet?

About theses nat ?

nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
nat (dmz-etax,outside) source dynamic dmz-etax_network interface

Rowlands Price · ‎06-08-2017

when i applied this, its not working again

nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface

Or i need inside nat to reach internet,

how to solve this please

Francesco Molino · ‎06-08-2017

Have you changed then with the after-auto keyword line the previous one?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-08-2017

Hi,

just changed the three nat with after-auto and it's working fine now

Thanks for your precious support

Best Regards

Francesco Molino · ‎06-09-2017

You're very welcome

Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rowlands Price · ‎06-07-2017

Hi Francesco

Many Thanks,

why this line please:

this is a nat from outside to inside, this must be denied by default, or what please

nat (outside,inside) source static any any destination static interface dmz4-srv service Obj-Ports Obj-Ports

Cannot configuring NAT using outside interface ip to Two different dmz servers