Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
3
Replies

Help with NAT/Route issues

heather.burke
Level 1
Level 1

‎10-07-2010 06:46 PM - edited ‎03-11-2019 11:52 AM

Ok, so we were able to get up and running getting out to the network, and to our DMZ.  But on live testing, we found that our DMZ can't get back to the inside, and it appears that outside can't get into our web server.

We are using the dynamic NATs that were suggested to solve our original problem, but it seems like they may not allow traffic to flow the other way?  I'll confess that I am a little confused on the whole NAT logic.   Each time I think I'm understanding it, something like this crops up and I'm lost again!  (same thing with static routes, actually)

So, we want to be able to go from inside to outside, from outside to inside (web server specific), inside to DMZ and DMZ to inside.  What is the best way to allow that to happen?

Here is our config:  (the access lists are pretty wide atm, since at first we believed the problem to be that, but now I think it's NAT/Route, please correct me if this is wrong!)


access-list INSIDE_access_in extended permit tcp any any eq www inactive
access-list INSIDE_access_in extended permit object-group ALLSERVICES any any
access-list INSIDE_access_in extended permit udp any any eq domain
access-list INSIDE_access_in remark ALLOWS ANY INTERNAL HOST TO CONNECT TO INTERNET
access-list INSIDE_access_in extended permit object-group WebServicePlus 192.168.204.0 255.255.255.0 any
access-list INSIDE_access_in remark ALLOW ADMINS TO PING, TRACEROUTE, ETC.  TO ANY DESTINATION.
access-list INSIDE_access_in extended permit icmp object-group Admins any
access-list INSIDE_access_in remark ALLOW INSIDE HOSTS TO ACCESS TRD - HELPSTAR USING SEVERAL SERVICES.
access-list INSIDE_access_in extended permit object-group HELPSTARGROUP 192.168.204.0 255.255.255.0 object HELPSTAR
access-list INSIDE_access_in extended permit object-group ALLSERVICES object-group Admins interface management
access-list INSIDE_access_in remark test rule for web connectivity.
access-list INSIDE_access_in extended permit object-group WebServicePlus 192.168.2.0 255.255.255.0 any
access-list INSIDE_access_in remark ALLOWS SMTP OUT
access-list INSIDE_access_in extended permit object-group MailServices object obj-192.168.204.0 any
access-list INSIDE_access_in extended permit object-group ALLSERVICES any 172.20.204.0 255.255.255.0
access-list INSIDE_access_in extended permit object-group ALLSERVICES any interface DMZ
access-list INSIDE_access_in extended permit object-group DMZSQLSERVICES 192.168.204.0 255.255.255.0 172.20.204.0 255.255.255.0
access-list OUTSIDE_access_in_1 extended permit object-group HTTPHTTPS 10.0.204.0 255.255.255.0 any
access-list OUTSIDE_access_in_1 remark ALLOW SLO HOSTS TO ACCESS XWD FOR TESTING
access-list OUTSIDE_access_in_1 extended permit object-group HTTPHTTPS object-group SLO object ONGARDWD
access-list OUTSIDE_access_in_1 remark ALLOW ACCESS FROM EXTERNAL IP ADDRESS TO INTERNAL IP ADDRESS ON XW
access-list OUTSIDE_access_in_1 extended permit tcp object X object O-NIC2 eq www
access-list OUTSIDE_access_in_1 extended permit icmp host 10.0.7.1 any
access-list OUTSIDE_access_in remark ALLOW SLO TESTERS TO COMMUNICATE WITH X.
access-list OUTSIDE_access_in remark ALLOW SLO TESTERS TO COMMUNICATE WITH X
access-list OUTSIDE_access_in extended permit object-group HTTPHTTPS 10.0.204.64 255.255.255.192 host 192.168.204.55
access-list DMZ_access_in remark ALLOWS INTERNAL HOSTS TO CONNECT TO MAINFRAME
access-list DMZ_access_in extended permit object-group MainframeServices 192.168.204.0 255.255.255.0 any
access-list DMZ_access_in remark ALLOW INTERNAL HOSTS TO CONNECT TO DMZ/PERIMETER
access-list DMZ_access_in extended permit object-group ALLSERVICES 192.168.204.0 255.255.255.0 172.20.204.0 255.255.255.192
access-list DMZ_access_in extended permit object-group ALLSERVICES object-group DMZCOMPUTERS any
access-list DMZ_access_in remark ALLOW DMZ COMPUTERS TO TALK TO INTERNAL
access-list DMZ_access_in extended permit object-group INTERNALSERVICES object-group DMZCOMPUTERS 192.168.204.0 255.255.255.0
access-list DMZ_access_in remark ALLOWS DMZ SQL SERVERS TO TALK TO INSIDE HOSTS
access-list DMZ_access_in extended permit object-group DMZSQLSERVICES object-group DMZSQLSERVERS 192.168.204.0 255.255.255.0
access-list DMZ_access_in remark ALLOWS ALL DMZ SERVERS TO BE BACKED UP VIA XBK.
access-list DMZ_access_in extended permit object-group BACKUPEXEC object DMZNETWORK 192.168.204.0 255.255.255.0
access-list DMZ_access_in remark ALLOW PINGBACK FROM DMZ
access-list DMZ_access_in extended permit icmp object 172.20.204.0 any
access-list DMZ_access_in extended permit object-group ALLSERVICES 172.20.204.0 255.255.255.0 192.168.204.0 255.255.255.0
access-list DMZ_access_in extended permit object-group DMZSQLSERVICES 172.20.204.0 255.255.255.0 object ONGARDW
access-list DMZ_access_in extended permit object-group ALLSERVICES host 172.20.204.41 object XW-NIC2
access-list INSIDE_nat0_outbound extended permit ip any 192.168.204.240 255.255.255.240
pager lines 24
logging enable
logging console emergencies
logging asdm informational
logging class auth console errors
logging class sys console errors
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPBNIPPOOL 192.168.204.240-192.168.204.250 mask 255.255.255.0
ip local pool VPNTESTPOOL 192.168.2.100-192.168.2.114 mask 255.255.255.240
failover
failover lan unit primary
failover lan interface HEARTBEAT Ethernet0/3
failover link HEARTBEAT Ethernet0/3
failover interface ip HEARTBEAT 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any INSIDE
icmp permit any management
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat (INSIDE,OUTSIDE) source static any any destination static OBJ-VPBNIPPOOL OBJ-VPBNIPPOOL
nat (OUTSIDE,INSIDE) source static X.X.X.destination static ON-NIC2 description TRANSLATE INCOMING EXTERNAL IP ADDRESS TO INTERNAL IP ADDRESS
nat (INSIDE,OUTSIDE) source dynamic 192.168.2.0 interface
!
object network OBJ-192.168.204.0
nat (INSIDE,OUTSIDE) dynamic interface
object network TESTOBJ-192.168.204.0
nat (INSIDE,DMZ) dynamic interface
access-group OUTSIDE_access_in_1 in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
access-group DMZ_access_in in interface DMZ
route OUTSIDE 0.0.0.0 0.0.0.0 10.0.204.65 1
route DMZ 192.168.204.84 255.255.255.255 192.168.204.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact

Thanks!

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-07-2010 08:33 PM

Can you please share the following:

1) What is your inside subnet?

2) What is your DMZ subnet?

3) What public IP Address you would like to NAT your DMZ web server to so it can be accessible from the outside/internet?

0 Helpful

patl.mente
Level 1
Level 1
In response to Jennifer Halim

‎10-08-2010 08:22 AM

Jennifer,

I work with Heather, and she's off this morning.   But here is what I can tell you:

Inside subnet is:   192.168.204.0/24

DMZ Subnet is:   172.20.204.0/24

Sorry, but the external IP address is confidential.   We are not allowed to release it.

Why not just use:      10.1.1.0/24 ?

Thanks very much!

0 Helpful

patl.mente
Level 1
Level 1
In response to patl.mente

‎10-08-2010 08:25 AM

Jennifer,

Sorry,

You asked for a single IP to NAT to.   Why not use:

10.1.1.71 ?

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card