Inside host NAT - Help!!!

Limitless1801 · ‎12-14-2011

Hi,

I was recently given the responsibility of our company's firewall. Even though our firewall is managed by a vendor, I want to understand the whole concept behind so feel free to provide as much feedback as you can. I have some knowledge about NAT/PAT, access-list, etc but there is something I still can't grasp.

Let me explain. The majority of the hosts with outside access are sitting on our DMZ with a NAT to a public IP address. Now, I have an inside FTP server(IP 172.19.20.20) that needs to talk to a DMZ device (vendor device IP 192.168.20.20). How do I NAT 172.19.20.20 to a different IP without affecting communication with other hosts in the DMZ?

The next question is, should the FTP server be on the inside? How do you guys do it out there?

Thanks in advance. RG

Julio Carvajal · ‎12-14-2011

Hello,

In order to go from an higher security level to a lower security level with nat control enabled you need to have a nat entry in order to do it. If the connection will be always innitiated from the inside to the DMZ Dynamic nat or PAT (Outbound) will work for you. If you need connectivity from the DMZ ( lower security level) to the inside you will need to have a static nat rule (bi-directional) and and ACL on the DMZ interface allowing that traffic.

Now regarding where should the FTP server be that depends on the security approach you are looking for in your network, I will placed it on the inside and I would restrict the incoming traffic so just the DMZ host can access that particular device.

You will also need to enforce the security approach from the outside to the DMZ host, because if a host on the outside can compromise the DMZ host he will be able to access the FTP server.

Please rate helpful posts.

Hope this helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Limitless1801 · ‎12-15-2011

Would be OK to say that this static nat rule is going to affect all the DMZ hosts that need access to the internal FTP server? In other words, DMZ hosts need to point to the NAT IP instead of internal IP.

Another question: I have a vendor router that sits on the DMZ with the following IP 192.168.10.34. I have an ACL statement permiting traffic from 192.168.10.34 to an inside host 172.31.1.73. The vendor used 192.168.10.35 to create a NAT statement so I coudn't see their source IP addresses. How did they do that? The traffic will go from the inside host to the DMZ but how it know it needs to get through the vendor's router to get to the other side when this IP belongs to us.

Thanks for all your help. RG

Julio Carvajal · ‎12-15-2011

Hello,

The static rule will be from the inside server to the DMZ host, so it will affect to all users on the DMZ but remember none of them will be able to access that server unless you configure that access on the ACL on the DMZ interface so you can restrict the access to that server on the inside.

That is the whole purpose of nat (will hide your local network enviroment) that is how your vendor dit it.

Regarding the other question you do not know what is the subnet IP range behind the DMZ Vendor's router right ( so you cannot configure a static route)

In that case you will need to do a identity nat on the ASA so the ASA now knows that in order to get to 192.168.10.35 he got to go to the DMZ interface.

Example:

Static (dmz,inside) 192.168.10.35 192.168.10.35

Now the inside users will know that if the want to go to 192.168.10.35 they will need to go across the dmz interface.

Any other question just let me know

Please rate helpful posts.

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC