cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1787
Views
0
Helpful
6
Replies

Mask DMZ servers from Private Servers and LAN

jose cortes
Level 1
Level 1

Hi everyone,

We are planning to split the Private servers from the DMZ Servers and configure an additional Interface and segment for this purpose.

Private Servers Segment: 192.168.4.0/24 (there is no DHCP all servers' IPs are statically configured)

DMZ Segment: 192.168.3.0/24 (This is a future deployment)

LAN Segment: 172.17.0.0/16

Both, Private Servers and DMZ Servers are in a collocation as well as the ASA5520. There are multiple Branch offices that uses subnets within the 172.17.0.0/16 Network and they are connected to the ASA5520 via Metro-E.

I do not know if this is possible but what I want to do is this:

In order to avoid the change of internal DNS records I want to mask the DMZ servers with a Private Server IP when a Private server or LAN host wants to access it like this:

The FTP server in the DMZ has the IP address: 192.168.3.100. But when a PC from the LAN wants to reach the FTP server it should points to its old IP: 192.168.4.100. This way the PC sends a packet to the ftp.corporate.net (192.168.4.100) the ASA recieves the packet and translate it to the (192.168.3.100) and send it out through the DMZ Interface.

Also if the Private Servers wants to reach the same FTP the ASA will act like a proxy-ARP and send the paquet to the DMZ by means of the translation of the IP.

Best Regards,

Jose M. Cortes H.

1 Accepted Solution

Accepted Solutions

Hi,

Actually the traffic should first hit the NAT rule we have configured and already there decide that the packet should be forwarded to the "dmz" interface rather than the "dmz-priv" interface

An example from my home ASA. Though as my home ASA is an ASA5505 with Base License the example isnt really ideal or make sense but it simulates a similiar situation.

In my situation I do a test configuration that NATs an IP address located on my "WAN" interface to an IP address of a network that is actually directly connected to the ASA on the "WLAN" interface.

ASA(config)# sh route | inc connected

C    10.0.255.0 255.255.255.0 is directly connected, WLAN

object network LAN

subnet 10.0.0.0 255.255.255.0

object network OUTSIDE-REAL

host 1.1.1.1

object network OUTSIDE-MAPPED

host 10.0.255.100

nat (WAN,LAN) source static OUTSIDE-REAL OUTSIDE-MAPPED destination static LAN LAN

So basicly what the above NAT configuration does is that it NATs the "WAN" IP address of 1.1.1.1 to 10.0.255.100 towards my LAN. So when users from my LAN connect to destination 10.0.255.100 they wont be forwarded to the "WLAN" interface like my above routing table output shows. Rather it forwards it to the "WAN" according to the NAT configuration.

Here is an "packet-tracer" command output that shows you that the traffic is forwarded correctly

ASA(config)# packet-tracer input LAN tcp 10.0.0.100 12345 10.0.255.100 3389

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (WAN,LAN) source static OUTSIDE-REAL OUTSIDE-MAPPED destination static LAN LAN

Additional Information:

NAT divert to egress interface WAN

Untranslate 10.0.255.100/3389 to 1.1.1.1/3389

If you have felt that this has answered your question, please do mark the reply as the correct answer.

Ask more if needed naturally

- Jouni

View solution in original post

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I guess there is no easy way to setup this. I mean a way where we wouldnt be creating multiple NAT configurations.

The first question at this point would be to know what your ASAs software version is?

- Jouni

Hi,  The current version of the ASA is 9.0(2).  Best Regards,

Hi,

Ok, so the below configurations would presume the following starting information

  • Interfaces called "dmz" , "dmz-priv" and "lan"
  • Networks called 192.168.3.0/24 (dmz) , 192.168.4.0/24 (dmz-priv) and 172.17.0.0/16 (lan)

Lets take the example of your server that you mention in your original post

  • Real IP = 192.168.3.100
  • Mapped IP = 192.168.4.100

The configuration for this server should be

object network SRV100-REAL

host 192.168.3.100

object network SRV100-MAPPED

host 192.168.4.100

object network DMZ-PRIV

subnet 182.168.4.0 255.255.255.0

object network LAN

subnet 172.17.0.0 255.255.0.0

nat (dmz,dmz-priv) source static SRV100-REAL SRV100-MAPPED destination static DMZ-PRIV DMZ-PRIV

nat (dmz,lan) source static SRV100-REAL SRV100-MAPPED destination static LAN LAN

In the case of the "dmz" to "dmz-priv" NAT configuration we know for sure that the Proxy ARP must be enabled for the "dmz-priv" interface so that the ASA will reply to the ARP requests of the "dmz-priv" hosts.

On the case of the other NAT configuration we dont have such problem as the traffic towards the server is entering from another network/direction. In that case the default route should handle the traffic hitting the firewall and the above NAT configuration should handle that the 192.168.4.100 destination IP address gets diverted to 192.168.3.100 on the ASA

This is not something I have tested at the moment but I imagine this should be the configuration needed for the setup

Naturally you would have to repeat the NAT configuration for each server.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question

Ask more if needed

- Jouni

thanks for the reply, I was thinking in something alike. But a last question if you don´t mind: The routing process is performed before the NAT process, right? I mean, when a Packet from the LAN looking for a 4.X server that is actually at the DMZ (via NAT) will the ASA do the NAT first and then route the packet towards the DMZ??

On the LAN:

Source: 172.17.0.100

Destination: 192.168.4.100

On the ASA:

nat (dmz,lan) source static SRV100-REAL SRV100-MAPPED destination static LAN LAN

#sho route

  C    192.168.4.0 255.255.255.0 is directly connected, dmz-priv

  C    192.168.3.0 255.255.255.0 is directly connected, dmz

Best Regards,

Jose

Hi,

Actually the traffic should first hit the NAT rule we have configured and already there decide that the packet should be forwarded to the "dmz" interface rather than the "dmz-priv" interface

An example from my home ASA. Though as my home ASA is an ASA5505 with Base License the example isnt really ideal or make sense but it simulates a similiar situation.

In my situation I do a test configuration that NATs an IP address located on my "WAN" interface to an IP address of a network that is actually directly connected to the ASA on the "WLAN" interface.

ASA(config)# sh route | inc connected

C    10.0.255.0 255.255.255.0 is directly connected, WLAN

object network LAN

subnet 10.0.0.0 255.255.255.0

object network OUTSIDE-REAL

host 1.1.1.1

object network OUTSIDE-MAPPED

host 10.0.255.100

nat (WAN,LAN) source static OUTSIDE-REAL OUTSIDE-MAPPED destination static LAN LAN

So basicly what the above NAT configuration does is that it NATs the "WAN" IP address of 1.1.1.1 to 10.0.255.100 towards my LAN. So when users from my LAN connect to destination 10.0.255.100 they wont be forwarded to the "WLAN" interface like my above routing table output shows. Rather it forwards it to the "WAN" according to the NAT configuration.

Here is an "packet-tracer" command output that shows you that the traffic is forwarded correctly

ASA(config)# packet-tracer input LAN tcp 10.0.0.100 12345 10.0.255.100 3389

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (WAN,LAN) source static OUTSIDE-REAL OUTSIDE-MAPPED destination static LAN LAN

Additional Information:

NAT divert to egress interface WAN

Untranslate 10.0.255.100/3389 to 1.1.1.1/3389

If you have felt that this has answered your question, please do mark the reply as the correct answer.

Ask more if needed naturally

- Jouni

Thanks a lot, I will try this on my LAB (I'm waiting for the ASA to arrive).

Review Cisco Networking for a $25 gift card