Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
10
Helpful
3
Replies

NAT config through DMZ subnet ASA?

meieltsptx
Level 1
Level 1

‎08-23-2016 05:19 AM - edited ‎03-12-2019 01:10 AM

Hello.

I'm having some trouble building a proper NAT configuration.

I have 3 interfaces, IP addresses are made up as i cant post the real ones for security purposes.

Please see the image i attached.

The purpose is that the .4 (from HOST subnet) is being NAT through dmz (dmz are public ip addresses, inet also public). I can get this to work if i NAT:

(HOST,INET)... it works properly how it should, however, i have a problem NATting through the DMZ. As i have not enough IP addresses in the INET subnet, IP address 10.1.1.4 should be mapped to 2.2.2.180.

And 2.2.2.180 should be reachable from the internet on port 443 (tested it, its open)

0.0.0.0 0.0.0.0 [1/0] via 1.1.1.x, inet

So i do get hitcounts on my ACL (INET side) when i try to connect to 2.2.2.180.

Also, the ip address is in translated as shown in the image with show nat det | i 10.1.1.

Im am doing something wrong but i cant see whats wrong. No ACL is blocking it.

Please see attachment for further details. Thanks alot in advance.

Labels:
Preview file
69 KB
0 Helpful
3 Replies 3

S-Lemming
Level 1
Level 1

‎08-25-2016 06:20 AM

If you want the 10.1.1.4 address to be reachable and NATed from the INET side you need to make a separate translation for it. Create a new object with the same configuration but change the NAT command to nat (host,inet) static 2.2.2.180.

Please rate if helpful.

Regards,

Stefan

meieltsptx
Level 1
Level 1
In response to S-Lemming

‎08-25-2016 06:32 AM

So you mean;

object network host_.4
 host 10.1.1.4
 nat (host,dmz) static 2.2.2.180
object network host2_.4
 host 10.1.1.4
 nat (host,inet) static 2.2.2.180
?
how does this technically work inside the firewall? Can you explain a little?

Thanks in advance!

0 Helpful

S-Lemming
Level 1
Level 1
In response to meieltsptx

‎08-25-2016 09:38 AM

Yes that is correct.

It will probably be easier to explain if break it down in parts.

nat - This is self explanatory, states that it is a nat configuration

(host,inet) - Specifies interfaces involved in the process, if traffic matching your object arrives at the firewall on host-interface and is destined for the inet interface this rule will apply. If destined for any other interface, like dmz, this rule will not be used.

static - Static 1-to-1 NAT

2.2.2.180 - The IP address to use for translating

So in your case it's the interface part that is the issue. Your rule said host to dmz which will only match for traffic from 10.1.1.4 to the dmz network. This might be a little confusing since you are using a dmz public IP address. But the thing is, you want to NAT an IP address which resides on the host side, going to the inet side. It doesn't matter that the IP belongs in dmz, the firewall can translate it anyway.

I hope this makes any sense to you, if not just let me know and I'll try to explain it better.

On a different note you can do NAT in another way, instead of putting the nat command inside the object configuration you can do it globally. The syntax is a little different but the end result is the same. Then why do it globally you may wonder? Well, in global configuration you can be more granular, you can configure rules based not only on source and destination interfaces but also source and destination IP addresses. But that is a different topic.

Hope this helps.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card