Solved: NAT 8.4(2) NAT and Routing Overload

Navaz Wattoo · ‎11-17-2014

Hi All,

I attached a diagram and below are the requirement

1. Hosts(Having IP,s 172.16.20.42 and 172.16.30.42) use internet through proxy server having proxy server ip 10.1.1.103 that are in the DMZ. And internet allow the proxy server. Means hosts inside to dmz reach and the use the proxy server they use internet.Only its for browsing traffice.

2. Host use outlook from inside to outside using ports 25,110,465,995 from inside to outside and only allow these outlook ports.And host use the gateway 172.16.20.254/24 and 172.16.30.254/24 respectively.

3. The web server having IP 10.1.1.254 allow only http ot https ports from outside when i access this server over the internet. and i want to access web server over the internet through this public ip 17.102.8.65:8888 that is configure in the router.Means the local webserver having ip 10.1.1.254:8888 translate or port forward to 117.102.8.65:8888.

Thanks

Navaz

Murali · ‎11-18-2014

1. If your security levels are like inside>DMZ>Outside , no need to configure any ACL's for inside,dmz but you need to configure NAT for your proxy server.

2.If you already have deny statements in your ACL for inside traffic going to outside you need to permit the mentioned destination ports (please check the documentation for syntax)

3.Create ACL to allow outside traffic to permit to server real address (10.1.1.254) , and create static nat as below.

i) create object for your server

object network DMZ_WEB_SERVER

host 10.1.1.254
nat(dmz,outside) static 17.102.8.65 service tcp 8888 8888

HTH

Murali.

View solution in original post

Murali · ‎11-18-2014

1. If your security levels are like inside>DMZ>Outside , no need to configure any ACL's for inside,dmz but you need to configure NAT for your proxy server.

2.If you already have deny statements in your ACL for inside traffic going to outside you need to permit the mentioned destination ports (please check the documentation for syntax)

3.Create ACL to allow outside traffic to permit to server real address (10.1.1.254) , and create static nat as below.

i) create object for your server

object network DMZ_WEB_SERVER

host 10.1.1.254
nat(dmz,outside) static 17.102.8.65 service tcp 8888 8888

HTH

Murali.

Navaz Wattoo · ‎11-19-2014

Thanks murali

But can u send me the step that i have to follow these objectives.

1. I add these routes at core switch that are connecting inside ASA

ip route 172.16.20.0 255.255.255.0 192.168.11.249

2. These are my ASA Interfaces detail

interface Ethernet0/0
description Inside to the Core Switches
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/1
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/2
description public Server - DMZ
duplex full
nameif DMZ
security-level 50
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
!
interface Ethernet0/3
description outside to the internet via router
duplex full
nameif Outside
security-level 0
ip address 11.11.11.2 standby 11.11.11.3
!
interface Management0/0
description LAN/STATE Failover Interface

!
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250
!

object-group network DMZ-BLOCKED-LAN-NETWORKS
network-object 172.16.20.0 255.255.255.0
network-object 172.16.30.0 255.255.255.0

access-list 102 extended permit tcp any host 11.11.11.2 eq www

access-list 102 extended permit tcp any host 11.11.11.2 eq 8888
access-list 102 extended permit tcp any host 11.11.11.2 eq https
access-list 102 extended permit tcp any host 11.11.11.2 eq telnet

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 11.11.11.2 255.255.255.0
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0

access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any
access-list ICMP extended permit icmp any any
access-list SPLIT standard permit 192.168.0.0 255.255.0.0

failover
failover lan unit secondary
failover lan interface failover Management0/0
failover polltime unit 1 holdtime 3
failover polltime interface 3 holdtime 15
failover key *****
failover link failover Management0/0
failover interface ip failover 1.1.1.1 255.0.0.0 standby 1.1.1.2

nat-control
global (Outside) 1 interface
nat (DMZ) 1 10.1.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255
static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.255
static (DMZ,Outside) tcp interface 8888 10.1.1.245 8888 netmask 255.255.255.255

static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0
access-group 102 in interface Outside

route Outside 0.0.0.0 0.0.0.0 125.209.70.89 1
route inside 0.0.0.0 0.0.0.0 192.168.11.254 2
route inside 0.0.0.0 0.0.0.0 192.168.10.254 2

route inside 172.16.20.0 255.255.255.0 192.168.11.254 1
route inside 172.16.30.0 255.255.255.0 192.168.11.254 1
route inside 192.168.10.0 255.255.255.0 192.168.11.254 1

3. AT Router

Inside Interface detail

int f0/0

ip add 11.11.11.1 255.255.255.0

These are the configuration as i configured.

Thanks murali

Navaz

Murali · ‎11-20-2014

hi

sorry i didn't understand your requirement , are you trying to add routes on the ASA for the inside 172.16.20.x , 172.16.30.x ?

Navaz Wattoo · ‎11-20-2014

Requirment are the same that i start discussion.

Navaz