cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
922
Views
0
Helpful
10
Replies

Interoperability ASA routing and nat with the same zones

Hello,

I have a trouble. I am migrating firewall fortinet to ASA5540 with inside (192.0.0.0/24), dmz (192.168.0.0/24), and outside (x.x.x.x), but the users of inside network gain access to the aplication for two ways: the first way is trough routing between inside and dmz, for example 192.0.0.200 to 192.168.0.20, and the another way is trough static nat between inside and dmz for example 192.0.0.200 to 192.0.0.20 (192.168.0.20 static nat). Is posible in Cisco configure that? because when i configure only firewall route the first way is OK, but when i add the second way only nat is work!

Regards,

Alvaro

2 Accepted Solutions

Accepted Solutions

Maykol Rojas
Cisco Employee
Cisco Employee

Alvaro,

What application are you talking about, where is it located? If spanish is better for you, please feel free to post it, i speak spanish as well.

Mike.

Mike

View solution in original post

Hola,

Intenta esto:

access-list policy-nat permit ip host 192.168.0.22 any

access-list policy-nat2 permit ip host 192.168.0.22 any

static (dmz,inside) 192.168.0.22 access-list policy-nat

static (dmz,inside) 192.0.0.22 access-list policy-nat2

Me avisas si te sirve.

Saludos.

Mike

Mike

View solution in original post

10 Replies 10

Maykol Rojas
Cisco Employee
Cisco Employee

Alvaro,

What application are you talking about, where is it located? If spanish is better for you, please feel free to post it, i speak spanish as well.

Mike.

Mike

Hola Maykol,

El problema es que estoy migrando un firewall fortinet a un ASA5540, pero resulta que el firewall fortinet tiene 3 zonas inside (192.0.0.0/24), dmz
(192.168.0.0/24), y outside (z.z.z.z), asi mismo hay una peculiaridad con el acceso a las aplicaciones desde la red inside. La comunicacion entre una estación 192.0.0.200 se conecta a la aplicación que esta en la dmz de dos maneras: una a traves de enrutamiento a la 192.168.0.22 y otra a travez de la ip 192.0.0.22 que usa el nat desde la dmz a la inside, es decir 192.168.0.22 -> 192.0.0.22. En el fortigate se hace sin problema, pero en los ASA solo se puede configurar entre 2 redes, o bien nat o bien routing. necesito saber si el ASA soporta esto y como hacerlo.

La configuración del Fortinet no es tan compleja, pero extrañamente en los ASA no se puede hacer lo que te comento y solo se puede hacer esa dualidad con los fortinet, por otro lado para que te des una idea. He probado solo configurar ruteo en el ASA y la dmz se comunica con la inside, pero cuando habilito el nat entre estas mismas redes ya deja de rutear.

Saludos,

Alvaro

Creo que ya entiendo, puedes pegar el nat que estas haciendo aca, y otra cosa, queres poder conectarte tanto con la real asi como la traducida desde el inside?

Saludos.

Mike

Mike

Hola Maykol,

Envío la configuración del ASA. la respuesta es SI, es necesario. La red está así y el fortinet hacia esta configuración. Es raro porque la finalidad del nat es ocultar direcciones IP accediendo a través de otra, pero en este caso se quiere esta peculiaridad de acceder a ambas.

Saludos,

Alvaro

Hola,

Intenta esto:

access-list policy-nat permit ip host 192.168.0.22 any

access-list policy-nat2 permit ip host 192.168.0.22 any

static (dmz,inside) 192.168.0.22 access-list policy-nat

static (dmz,inside) 192.0.0.22 access-list policy-nat2

Me avisas si te sirve.

Saludos.

Mike

Mike

Can you please describe the complete matter here in English?

Ray, Here it is.

Hello Maykol,
The problem is that I'm migrating a Fortinet firewall ASA5540, but it appears that the Fortinet firewall has 3 parts inside (192.0.0.0/24), dmz
(192.168.0.0/24) and outside (zzzz), so it is a peculiarity with access to applications from inside the network. Communication between 192.0.0.200 station connects to the application that is in the dmz of two ways: through routing to another travez 192.168.0.22 and the ip 192.0.0.22 that uses nat from the dmz to the inside, ie 192.168.0.22 -> 192.0.0.22. The FortiGate is no problem, but the ASA can only be set between 2 networks or nat or routing. I need to know if the ASA supports this and how.

Fortinet configuration is not complex, but strangely in the ASA can not do what I mention and you can only do this duality with Fortinet, on the other side to give you an idea. I've tried just configuring routing on the ASA and the DMZ is connected to the inside, but when I enable the nat or between these networks and routing stops.
Regards,
Alvaro

I think I understand, you can paste the nat you are doing here, and another thing, we want to connect to both the real as well as the translation from the inside?

Greetings.
Mike

Hello Maykol,

Shipping ASA configuration. YES, it is necessary. The network is well and Fortinet to this configuration. It's weird because the purpose of NAT is to hide IP addresses accessed through another, but in this case is to this peculiarity of access to both.

Regards,
Alvaro

access-list policy-nat permit ip host 192.168.0.22 any

access-list policy-nat2 permit ip host 192.168.0.22 any

static (dmz,inside) 192.168.0.22 access-list policy-nat

static (dmz,inside) 192.0.0.22 access-list policy-nat2

Let me know if it served you.

Greetings,

Mike

This the above converstaion. I used google translator for this

Thanks,

Varun

Thanks,
Varun Rao

funciono bien!! gracias.

Saludos,

Pareces sorprendido.... jajajaja .... Me alegro que te funciono, muchas gracias por usar support forums.

Saludos...

Mike

Mike

Hola Maykol,

mas bien, despúes de configurar lo que me indicaste habilito el nat (inside) 1 192.0.0.0 255.255.255.255.0 y global (outside) interface ya no funciona la configuración!! a que se debe esto?

Saludos,

Álvaro

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: