Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
6
Replies

Cisco ASA 9.1, NAT question

Go to solution
mrthejaswi
Level 1
Level 1

‎08-21-2015 12:24 PM - edited ‎03-11-2019 11:28 PM

Hello All,

 

I have a question regarding NATs on an ASA version 9.1. 

We have a several servers on the DMZ exposed to the Internet via Static NATs to various ip in the address range X.Y.Z.0/24. We want the users on the INSIDE to access the DMZ server using the external IP address, i.e. X.Y.Z.0/24. Following a previous thread I know this can be configured for every  DMZ machine, but the question I have is can we configure this similar to the way I have it below, please let me know,

 

object network DMZ-ANY

subnet 10.10.10.0 255.255.255.0

nat (DMZ,INSIDE) static X.Y.Z.0 255.255.255.0

 

There are already several NATs like this:

object network Machine-1-NAT

host 10.10.10.29

nat (DMZ,OUTSIDE) static X.Y.Z.41 255.255.255.255

 

Any help is appreciated,

 

Regards,

TJ

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-21-2015 02:31 PM

No, that won't work. The logic of a network-NAT-statement (with a mask like your 255.255.255.0) is that only the part get's NATed where the mask has a "1" (binary) in the mask.

The host 10.10.10.27 would be reachable with the public IP X.Y.Z.27.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎08-21-2015 02:31 PM

No, that won't work. The logic of a network-NAT-statement (with a mask like your 255.255.255.0) is that only the part get's NATed where the mask has a "1" (binary) in the mask.

The host 10.10.10.27 would be reachable with the public IP X.Y.Z.27.

0 Helpful

Go to solution
mrthejaswi
Level 1
Level 1
In response to Karsten Iwen

‎08-24-2015 07:10 AM

Thanks Karsten, I was thinking this would be the case but was not a 100% sure.

0 Helpful

Go to solution
Andre Neethling
Level 4
Level 4
In response to mrthejaswi

‎08-24-2015 10:01 PM

Question: Why would you like to NAT the DMZ Private range to the INSIDE private range? Without NAT you can just route the traffic. This would be better for visibility between inside and DMZ networks. And the config is so much simpler.

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7

‎08-21-2015 08:50 PM

Are you willing to assign dual IP on your dmz host, real-ip and public IP?

If you are willing to do that, then it is possible.

0 Helpful

Go to solution
mrthejaswi
Level 1
Level 1
In response to rizwanr74

‎08-24-2015 07:31 AM

Thanks Rizwan, the DMZ host is only assigned the private IP address. And I don't have access to the host to assign multiple IPs.

Its only NAT-ed at the firewall. 

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to mrthejaswi

‎08-24-2015 07:46 AM

If you were to nat to different IP-address, then natually a host at receiving end should have the given IP address, otherwise it make no sense to nat to a different IP address, when there is no host with such IP-address.

 

Hope that answers.

thanks

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card