Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1467
Views
0
Helpful
5
Replies

NAT 1:1 and access to translated host using global IP address

JohnRambo87365
Level 1
Level 1

‎04-08-2020 04:09 AM - edited ‎04-08-2020 04:33 AM

Hi,

I have an ASA 5515, config looks like this:

All inside IP'a are translated to outside. I'm able to ping everything in the Internet and also the host located in DMZ 111.111.111.11 but I'm unable to ping  host translated in DMZ (111.111.111.111)

Nat statement looks like this:

 

object network obj-10.10.10.10
 nat (any,any) static 111.111.111.111

I have tried to change it to DMZ, etc but with no luck.

 

Untitled Diagram.png

Labels:
0 Helpful
5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

‎04-08-2020 06:21 AM

Hi,

 

  1. Can you confirm that the object of "obj-10.10.10.10" contains a host entry of 10.10.10.10? From where do you want to access 10.10.10.10 as 111.111.111.111, from outside or from DMZ?

  2. Optimize your NAT config, as (this makes 10.10.10.10 reachable via 111.111.111.111 from the DMZ, but nor from the outside):

            nat (inside,dmz) static 111.111.111.111

 

Regards,

Cristian Matei.

0 Helpful

JohnRambo87365
Level 1
Level 1
In response to Cristian Matei

‎04-09-2020 12:20 AM

Yes, the entry obj-10.10.10.10 contains a host entry of 10.10.10.10.

 

What i would like to do: host 10.10.10.15 to be able reach 111.111.111.111, not 10.10.10.10

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to JohnRambo87365

‎04-09-2020 01:15 AM

Hi,

 

    Clearly the recommended way would be to place 10.10.10.10 in the DMZ VLAN. As long as 10.10.10.10 and 10.10.10.15 are within same VLAN, even if you fall them into not speaking directly by doing NAT, if they initiate a direct session it will work. To make wha you want happen, you would have to make both 10.10.10.10 and 10.10.10.15 be visible as something else on the inside, and traffic will be hair-pinned by the FW. This is clearly not recommended as you make the configuration complex in the end hosts could still talk directly. Ensure that except the below config, if there is ingress ACL applied on the inside interface, to global ACL, the traffic between 111.111.111.111 and 111.111.111.115 is allowed:

 

object network FIRST

   host 10.10.10.10

   nat (inside,inside) static 111.111.111.111

object network SECOND

    host 10.10.10.15

    nat (inside,inside) static 111.111.111.115

!
same-security-traffic permit intra-interface

 

Regards,
Cristian Matei.

0 Helpful

JohnRambo87365
Level 1
Level 1
In response to Cristian Matei

‎04-09-2020 01:27 AM

I know that best option will be to put 10.10.10.10 in DMZ vlan, but then traffic will flow throught FW. I have couple servers that has been done this way, cos in the past I had only 300 Mbps FW.

I will try what u have recomended.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to JohnRambo87365

‎04-09-2020 10:01 AM

Hi,

 

   If you want to NAT a host, traffic has to go through the NATing device, which in your case is the firewall. If you want traffic between 10.10.10.10 and 10.10.10.15 to bypass the firewall, just leave it as it is, they can speak directly without NAT.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card