Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
20
Helpful
7
Replies

NAT B/W inside to DMZ

aslam.bajwa
Level 3
Level 3

‎03-04-2014 11:47 AM - edited ‎03-11-2019 08:53 PM

Hello ,

i have ASA 8.6 i need to configure nating between inside and DMZ . network details is as under :

network behind inside interface

10.16.8.0 / 24

10.16.10.0/24

network behind DMZ interface

10.16.7.0/24

10.16.6.0/24

what configuration i need on ASA so inside and outside can communicate with eachother please advice.

Labels:
0 Helpful
7 Replies 7

jj27
Spotlight
Spotlight

‎03-04-2014 04:59 PM

object-group network Inside_Networks

network-object 10.16.8.0 255.255.255.0

network-object 10.16.10.0 255.255.255.0

object-group network DMZ_Networks

network-object 10.16.7.0 255.255.255.0

network-object 10.16.6.0 255.255.255.0

I assume your interfaces are named "inside" and "DMZ"

nat (inside,dmz) source static Inside_Networks Inside_Networks destination static DMZ_Networks DMZ_Networks

0 Helpful

aslam.bajwa
Level 3
Level 3
In response to jj27

‎03-04-2014 09:58 PM

Many Thanks for your reply , i will check today and update you .

can you please tell me aboute routes also if required , so that i will be able to ping .from both side

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to aslam.bajwa

‎03-05-2014 05:42 AM

Hi Aslam,

To be honest , I see that you have these Subnets behind the ASA Interfaces. You are not translation the traffic between the Inside and DMZ interface and hence , I don't think you need any NAT statements on the ASA device to communicate between these Two interfaces(As nat-control is disabled by default on the ASA 8.3+).

Still , you would need Static routes for every L3 network behind the ASA interface.

Thanks and Regards,

Vibhor

aslam.bajwa
Level 3
Level 3
In response to Vibhor Amrodia

‎03-05-2014 06:05 AM

Hello Vibhor ,

i have done the nating , its working fine as i can ping fron ASA to network behind the inside and DMZ

but i can not ping from DMZ switch to ASA inside and from inside Switch to asa DMZ interfaces .

there is routing issues on both DMZ and inside swith . can yo advise

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to aslam.bajwa

‎03-05-2014 06:35 AM

Hi Aslam,

To be clear , we cannot ping the DMZ interface IP on the ASA from Any device behind the Inside interface and vice versa by architecture.

To ping from the devices behind the DMZ interface to the Inside devices , you would also need to allow the traffic using ACL on the DMZ interface.

Please send me the Packet-tracer for the traffic which is not working if possible. Also , run this command on the ASA device:-

fixup protocol icmp

Thanks and Regards,

Vibhor

aslam.bajwa
Level 3
Level 3
In response to Vibhor Amrodia

‎03-05-2014 06:57 AM

Hi Vibhor ,

thanks for your support , i am new in security so i am having lots issues . i tried alot to run Packet Tracer commnad but still i am unable to run it correctly , let see if i have to check nat or ping traffic issue what is the correct packet Tracer command santax .

Secondly  i have cisco Wireless ip phones on inside network and my callmanager is behind the DMZ what exacltly i need to do to register this ip phone with callmanage

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to aslam.bajwa

‎03-06-2014 07:37 AM

Hi Aslam,

Sorry for a late reply. As per your 1st query , you can check this Doc for more information on Packet Tracer on ASA:-

https://supportforums.cisco.com/docs/DOC-5796

You can also share the configuration and I can help you out.

As per your 2nd Query , If you want the IP phones to coimmunicate with the Call Manager on the DMZ , I would say the NAT should be there for Communication , Inspection and Access-rules.

Thanks and Regards,

Vibhor

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card