05-19-2011 12:44 PM - last edited on 03-25-2019 05:46 PM by ciscomoderator
Hello,
I have a trouble. I am migrating firewall fortinet to ASA5540 with inside (192.0.0.0/24), dmz (192.168.0.0/24), and outside (x.x.x.x), but the users of inside network gain access to the aplication for two ways: the first way is trough routing between inside and dmz, for example 192.0.0.200 to 192.168.0.20, and the another way is trough static nat between inside and dmz for example 192.0.0.200 to 192.0.0.20 (192.168.0.20 static nat). Is posible in Cisco configure that? because when i configure only firewall route the first way is OK, but when i add the second way only nat is work!
Regards,
Alvaro
Solved! Go to Solution.
05-19-2011 12:54 PM
Alvaro,
What application are you talking about, where is it located? If spanish is better for you, please feel free to post it, i speak spanish as well.
Mike.
05-19-2011 02:23 PM
Hola,
Intenta esto:
access-list policy-nat permit ip host 192.168.0.22 any
access-list policy-nat2 permit ip host 192.168.0.22 any
static (dmz,inside) 192.168.0.22 access-list policy-nat
static (dmz,inside) 192.0.0.22 access-list policy-nat2
Me avisas si te sirve.
Saludos.
Mike
05-19-2011 12:54 PM
Alvaro,
What application are you talking about, where is it located? If spanish is better for you, please feel free to post it, i speak spanish as well.
Mike.
05-19-2011 01:02 PM
Hola Maykol,
El problema es que estoy migrando un firewall fortinet a un ASA5540, pero resulta que el firewall fortinet tiene 3 zonas inside (192.0.0.0/24), dmz
(192.168.0.0/24), y outside (z.z.z.z), asi mismo hay una peculiaridad con el acceso a las aplicaciones desde la red inside. La comunicacion entre una estación 192.0.0.200 se conecta a la aplicación que esta en la dmz de dos maneras: una a traves de enrutamiento a la 192.168.0.22 y otra a travez de la ip 192.0.0.22 que usa el nat desde la dmz a la inside, es decir 192.168.0.22 -> 192.0.0.22. En el fortigate se hace sin problema, pero en los ASA solo se puede configurar entre 2 redes, o bien nat o bien routing. necesito saber si el ASA soporta esto y como hacerlo.
La configuración del Fortinet no es tan compleja, pero extrañamente en los ASA no se puede hacer lo que te comento y solo se puede hacer esa dualidad con los fortinet, por otro lado para que te des una idea. He probado solo configurar ruteo en el ASA y la dmz se comunica con la inside, pero cuando habilito el nat entre estas mismas redes ya deja de rutear.
Saludos,
Alvaro
05-19-2011 01:56 PM
Creo que ya entiendo, puedes pegar el nat que estas haciendo aca, y otra cosa, queres poder conectarte tanto con la real asi como la traducida desde el inside?
Saludos.
Mike
05-19-2011 02:04 PM
Hola Maykol,
Envío la configuración del ASA. la respuesta es SI, es necesario. La red está así y el fortinet hacia esta configuración. Es raro porque la finalidad del nat es ocultar direcciones IP accediendo a través de otra, pero en este caso se quiere esta peculiaridad de acceder a ambas.
Saludos,
Alvaro
05-19-2011 02:23 PM
Hola,
Intenta esto:
access-list policy-nat permit ip host 192.168.0.22 any
access-list policy-nat2 permit ip host 192.168.0.22 any
static (dmz,inside) 192.168.0.22 access-list policy-nat
static (dmz,inside) 192.0.0.22 access-list policy-nat2
Me avisas si te sirve.
Saludos.
Mike
05-19-2011 09:40 PM
Can you please describe the complete matter here in English?
05-19-2011 10:42 PM
Ray, Here it is.
Hello Maykol,
The problem is that I'm migrating a Fortinet firewall ASA5540, but it appears that the Fortinet firewall has 3 parts inside (192.0.0.0/24), dmz
(192.168.0.0/24) and outside (zzzz), so it is a peculiarity with access to applications from inside the network. Communication between 192.0.0.200 station connects to the application that is in the dmz of two ways: through routing to another travez 192.168.0.22 and the ip 192.0.0.22 that uses nat from the dmz to the inside, ie 192.168.0.22 -> 192.0.0.22. The FortiGate is no problem, but the ASA can only be set between 2 networks or nat or routing. I need to know if the ASA supports this and how.
Fortinet configuration is not complex, but strangely in the ASA can not do what I mention and you can only do this duality with Fortinet, on the other side to give you an idea. I've tried just configuring routing on the ASA and the DMZ is connected to the inside, but when I enable the nat or between these networks and routing stops.
Regards,
Alvaro
I think I understand, you can paste the nat you are doing here, and another thing, we want to connect to both the real as well as the translation from the inside?
Greetings.
Mike
Hello Maykol,
Shipping ASA configuration. YES, it is necessary. The network is well and Fortinet to this configuration. It's weird because the purpose of NAT is to hide IP addresses accessed through another, but in this case is to this peculiarity of access to both.
Regards,
Alvaro
access-list policy-nat permit ip host 192.168.0.22 any
access-list policy-nat2 permit ip host 192.168.0.22 any
static (dmz,inside) 192.168.0.22 access-list policy-nat
static (dmz,inside) 192.0.0.22 access-list policy-nat2
Let me know if it served you.
Greetings,
Mike
This the above converstaion. I used google translator for this
Thanks,
Varun
05-20-2011 10:46 AM
funciono bien!! gracias.
Saludos,
05-20-2011 10:52 AM
Pareces sorprendido.... jajajaja .... Me alegro que te funciono, muchas gracias por usar support forums.
Saludos...
Mike
05-20-2011 11:19 AM
Hola Maykol,
mas bien, despúes de configurar lo que me indicaste habilito el nat (inside) 1 192.0.0.0 255.255.255.255.0 y global (outside) interface ya no funciona la configuración!! a que se debe esto?
Saludos,
Álvaro
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide