08-21-2015 12:24 PM - edited 03-11-2019 11:28 PM
Hello All,
I have a question regarding NATs on an ASA version 9.1.
We have a several servers on the DMZ exposed to the Internet via Static NATs to various ip in the address range X.Y.Z.0/24. We want the users on the INSIDE to access the DMZ server using the external IP address, i.e. X.Y.Z.0/24. Following a previous thread I know this can be configured for every DMZ machine, but the question I have is can we configure this similar to the way I have it below, please let me know,
object network DMZ-ANY
subnet 10.10.10.0 255.255.255.0
nat (DMZ,INSIDE) static X.Y.Z.0 255.255.255.0
There are already several NATs like this:
object network Machine-1-NAT
host 10.10.10.29
nat (DMZ,OUTSIDE) static X.Y.Z.41 255.255.255.255
Any help is appreciated,
Regards,
TJ
Solved! Go to Solution.
08-21-2015 02:31 PM
No, that won't work. The logic of a network-NAT-statement (with a mask like your 255.255.255.0) is that only the part get's NATed where the mask has a "1" (binary) in the mask.
The host 10.10.10.27 would be reachable with the public IP X.Y.Z.27.
08-21-2015 02:31 PM
No, that won't work. The logic of a network-NAT-statement (with a mask like your 255.255.255.0) is that only the part get's NATed where the mask has a "1" (binary) in the mask.
The host 10.10.10.27 would be reachable with the public IP X.Y.Z.27.
08-24-2015 07:10 AM
Thanks Karsten, I was thinking this would be the case but was not a 100% sure.
08-24-2015 10:01 PM
Question: Why would you like to NAT the DMZ Private range to the INSIDE private range? Without NAT you can just route the traffic. This would be better for visibility between inside and DMZ networks. And the config is so much simpler.
08-21-2015 08:50 PM
Are you willing to assign dual IP on your dmz host, real-ip and public IP?
If you are willing to do that, then it is possible.
08-24-2015 07:31 AM
Thanks Rizwan, the DMZ host is only assigned the private IP address. And I don't have access to the host to assign multiple IPs.
Its only NAT-ed at the firewall.
08-24-2015 07:46 AM
If you were to nat to different IP-address, then natually a host at receiving end should have the given IP address, otherwise it make no sense to nat to a different IP address, when there is no host with such IP-address.
Hope that answers.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide