05-16-2012 07:35 AM - edited 03-11-2019 04:07 PM
Hi,
I'm having an issue configuring NAT on an ASA running 8.3. Hopefully someone can point me in the right direction.
I've managed to configure NAT from the Inside interface to the DMZ, using PAT, so that the traffic is hidden behind the IP of the DMZ interface. This seems to work ok.
object network obj_any-18
subnet 0.0.0.0 0.0.0.0
object network obj_any-18
nat (inside,dmz1.005) dynamic interface
The problem I have is when I try to configure a rule for traffic that originates in the DMZ back to the Inside. I can't seem to get any traffic to flow from the DMZ to the Inside, and sometimes I manage to stop traffic flowing in both directions!
What would be the best way to configure the return traffic from the DMZ to the Inside.
Thanks,
Paul
05-16-2012 07:43 AM
I hope you not using the same object network again for it, since you cannot do that with auto nat, try this:
object network obj_any-100
subnet 0.0.0.0 0.0.0.0
nat (dmz1.005,inside) dynamic interface
Moreover what device are you using?? is it 5505?? what license does it have??
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-16-2012 07:54 AM
Hi Varun,
I tried that config already using a different unused 0.0.0.0 0.0.0.0 object. When applied traffic doesn't flow in either direction, when removed traffic flows from the inside to dmz as per config above.
I'm using a cisco asa 5510, with a security plus license.
Thanks,
Paul
05-16-2012 07:55 AM
Can you share your configuration??
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-16-2012 08:04 AM
Do you just want the NAT parts, or the entire config?
05-16-2012 08:22 AM
nat, routes,acl should be fine
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-16-2012 08:54 AM
Hi Varun,
ACLs and NAT config attached. All routing is learnt via OSPF.
The NAT statements in the config are all from the 8.3 upgrade process, with the exception of the Inside, dmz1.005 statements.
Thanks
Paul
05-16-2012 09:14 AM
Hi Paul,
can you please tell me the purpose for this nat statement in your configuration:
nat (dmz1.005_8.3_nat_test,inside) source static net_dmz1.005 net_dmz1.005 destination static grp_dmz1.005_nonat grp_dmz1.005_nonat unidirectional
I guess this might interfere, can you do this, add a nat:
nat (dmz1.005_8.3_nat_test,inside) 1 source dynamic any interface
and test again.
I might need your complete configuration to check other things, you can PM me if you want.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-16-2012 11:33 AM
Hi Varun,
I think that may have been left in there whilst I was testing!
I'll remove it and add the nat you suggested, but I can't do that until I'm back in the office tomorrow am.
Thanks for you help so far
Paul
05-16-2012 11:41 AM
No Issues, do let me know how it goes
05-17-2012 01:38 AM
Hi Varun,
I have removed the nat statement below from the config;
nat (dmz1.005_8.3_nat_test,inside) source static net_dmz1.005 net_dmz1.005 destination static grp_dmz1.005_nonat grp_dmz1.005_nonat unidirectional
And then added;
nat (dmz1.005_8.3_nat_test,inside) 1 source dynamic any interface
Traffic doesn't flow in either direction now.
If I disable the new nat statement, I can ping from the inside to dmz1.005, and the IP is hidden behind the dmz1.005 interface. But I can't ping in the other direction.
Do you want me to PM you the config?
Paul
05-17-2012 01:50 AM
Hi Paul,
Yes please, you can PM me the config, I'll try at my end
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-17-2012 07:42 AM
Hi Varun,
Did you get my PM ok?
Thanks,
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide