06-12-2013 09:42 AM - edited 03-11-2019 06:56 PM
Hi everyone,
We are planning to split the Private servers from the DMZ Servers and configure an additional Interface and segment for this purpose.
Private Servers Segment: 192.168.4.0/24 (there is no DHCP all servers' IPs are statically configured)
DMZ Segment: 192.168.3.0/24 (This is a future deployment)
LAN Segment: 172.17.0.0/16
Both, Private Servers and DMZ Servers are in a collocation as well as the ASA5520. There are multiple Branch offices that uses subnets within the 172.17.0.0/16 Network and they are connected to the ASA5520 via Metro-E.
I do not know if this is possible but what I want to do is this:
In order to avoid the change of internal DNS records I want to mask the DMZ servers with a Private Server IP when a Private server or LAN host wants to access it like this:
The FTP server in the DMZ has the IP address: 192.168.3.100. But when a PC from the LAN wants to reach the FTP server it should points to its old IP: 192.168.4.100. This way the PC sends a packet to the ftp.corporate.net (192.168.4.100) the ASA recieves the packet and translate it to the (192.168.3.100) and send it out through the DMZ Interface.
Also if the Private Servers wants to reach the same FTP the ASA will act like a proxy-ARP and send the paquet to the DMZ by means of the translation of the IP.
Best Regards,
Jose M. Cortes H.
Solved! Go to Solution.
06-12-2013 11:19 AM
Hi,
Actually the traffic should first hit the NAT rule we have configured and already there decide that the packet should be forwarded to the "dmz" interface rather than the "dmz-priv" interface
An example from my home ASA. Though as my home ASA is an ASA5505 with Base License the example isnt really ideal or make sense but it simulates a similiar situation.
In my situation I do a test configuration that NATs an IP address located on my "WAN" interface to an IP address of a network that is actually directly connected to the ASA on the "WLAN" interface.
ASA(config)# sh route | inc connected
C 10.0.255.0 255.255.255.0 is directly connected, WLAN
object network LAN
subnet 10.0.0.0 255.255.255.0
object network OUTSIDE-REAL
host 1.1.1.1
object network OUTSIDE-MAPPED
host 10.0.255.100
nat (WAN,LAN) source static OUTSIDE-REAL OUTSIDE-MAPPED destination static LAN LAN
So basicly what the above NAT configuration does is that it NATs the "WAN" IP address of 1.1.1.1 to 10.0.255.100 towards my LAN. So when users from my LAN connect to destination 10.0.255.100 they wont be forwarded to the "WLAN" interface like my above routing table output shows. Rather it forwards it to the "WAN" according to the NAT configuration.
Here is an "packet-tracer" command output that shows you that the traffic is forwarded correctly
ASA(config)# packet-tracer input LAN tcp 10.0.0.100 12345 10.0.255.100 3389
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (WAN,LAN) source static OUTSIDE-REAL OUTSIDE-MAPPED destination static LAN LAN
Additional Information:
NAT divert to egress interface WAN
Untranslate 10.0.255.100/3389 to 1.1.1.1/3389
If you have felt that this has answered your question, please do mark the reply as the correct answer.
Ask more if needed naturally
- Jouni
06-12-2013 09:51 AM
Hi,
I guess there is no easy way to setup this. I mean a way where we wouldnt be creating multiple NAT configurations.
The first question at this point would be to know what your ASAs software version is?
- Jouni
06-12-2013 09:55 AM
Hi, The current version of the ASA is 9.0(2). Best Regards,
06-12-2013 10:06 AM
Hi,
Ok, so the below configurations would presume the following starting information
Lets take the example of your server that you mention in your original post
The configuration for this server should be
object network SRV100-REAL
host 192.168.3.100
object network SRV100-MAPPED
host 192.168.4.100
object network DMZ-PRIV
subnet 182.168.4.0 255.255.255.0
object network LAN
subnet 172.17.0.0 255.255.0.0
nat (dmz,dmz-priv) source static SRV100-REAL SRV100-MAPPED destination static DMZ-PRIV DMZ-PRIV
nat (dmz,lan) source static SRV100-REAL SRV100-MAPPED destination static LAN LAN
In the case of the "dmz" to "dmz-priv" NAT configuration we know for sure that the Proxy ARP must be enabled for the "dmz-priv" interface so that the ASA will reply to the ARP requests of the "dmz-priv" hosts.
On the case of the other NAT configuration we dont have such problem as the traffic towards the server is entering from another network/direction. In that case the default route should handle the traffic hitting the firewall and the above NAT configuration should handle that the 192.168.4.100 destination IP address gets diverted to 192.168.3.100 on the ASA
This is not something I have tested at the moment but I imagine this should be the configuration needed for the setup
Naturally you would have to repeat the NAT configuration for each server.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question
Ask more if needed
- Jouni
06-12-2013 11:02 AM
thanks for the reply, I was thinking in something alike. But a last question if you don´t mind: The routing process is performed before the NAT process, right? I mean, when a Packet from the LAN looking for a 4.X server that is actually at the DMZ (via NAT) will the ASA do the NAT first and then route the packet towards the DMZ??
On the LAN:
Source: 172.17.0.100
Destination: 192.168.4.100
On the ASA:
nat (dmz,lan) source static SRV100-REAL SRV100-MAPPED destination static LAN LAN
#sho route
C 192.168.4.0 255.255.255.0 is directly connected, dmz-priv
C 192.168.3.0 255.255.255.0 is directly connected, dmz
Best Regards,
Jose
06-12-2013 11:19 AM
Hi,
Actually the traffic should first hit the NAT rule we have configured and already there decide that the packet should be forwarded to the "dmz" interface rather than the "dmz-priv" interface
An example from my home ASA. Though as my home ASA is an ASA5505 with Base License the example isnt really ideal or make sense but it simulates a similiar situation.
In my situation I do a test configuration that NATs an IP address located on my "WAN" interface to an IP address of a network that is actually directly connected to the ASA on the "WLAN" interface.
ASA(config)# sh route | inc connected
C 10.0.255.0 255.255.255.0 is directly connected, WLAN
object network LAN
subnet 10.0.0.0 255.255.255.0
object network OUTSIDE-REAL
host 1.1.1.1
object network OUTSIDE-MAPPED
host 10.0.255.100
nat (WAN,LAN) source static OUTSIDE-REAL OUTSIDE-MAPPED destination static LAN LAN
So basicly what the above NAT configuration does is that it NATs the "WAN" IP address of 1.1.1.1 to 10.0.255.100 towards my LAN. So when users from my LAN connect to destination 10.0.255.100 they wont be forwarded to the "WLAN" interface like my above routing table output shows. Rather it forwards it to the "WAN" according to the NAT configuration.
Here is an "packet-tracer" command output that shows you that the traffic is forwarded correctly
ASA(config)# packet-tracer input LAN tcp 10.0.0.100 12345 10.0.255.100 3389
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (WAN,LAN) source static OUTSIDE-REAL OUTSIDE-MAPPED destination static LAN LAN
Additional Information:
NAT divert to egress interface WAN
Untranslate 10.0.255.100/3389 to 1.1.1.1/3389
If you have felt that this has answered your question, please do mark the reply as the correct answer.
Ask more if needed naturally
- Jouni
06-12-2013 11:28 AM
Thanks a lot, I will try this on my LAB (I'm waiting for the ASA to arrive).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide