cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27437
Views
5
Helpful
7
Replies

NAT for DMZ access from the inside network 8.3 and higher on ASA 5505

Steve Krantzman
Level 1
Level 1

I know this topic has been covered may times, but I am still stuck after reading many forum posts and cisco help files on the subject. Also let me say that I am not a Cisco professional in any way, although I do know my way around the CL to some extent.

I am in the process of upgrading asa 5505s from 8.2.1 to 9.1. I first migrated from 8.2 to 8.3.1 and using many documents found here I have been trying to educate myself on the new NAT structure

I have a typical 3 leg setup (inside, dmz, outside) and everything works at this point. 
I can access the internet from both the inside and dmz.
I can access the servers on the dmz from the outside.
I can access the servers on the dmz from the inside (but maybe not the way I should.)


The following is a small part of my current setup that is working:


interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0

interface Vlan2
nameif outside
security-level 0
ip address 183.2.81.107 255.255.255.248

interface Vlan3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0

object network inside-subnet
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic interface

object network dmz-subnet
subnet 192.168.1.0 255.255.255.0
nat (dmz,outside) dynamic interface

object network webserver
host 192.168.1.4
nat (dmz,any) static 183.2.81.104


Based on what I have read, I think the following changes would need to be made to correctly access the dmz from the inside:

Add
object network inside-dmz
subnet 192.168.0.0 255.255.255.0
nat (inside,dmz) static inside-dmz

Change
object network webserver
host 192.168.1.4
nat (dmz,outside) static 183.2.81.104 (changing (dmz,any) to (dmz,outside).)


Is this correct, or am I missing something as I cannot access the servers on the dmz from the inside when I make these changes? When I use packet tracer, the packet goes through without an error.

1 Accepted Solution

Accepted Solutions

Hi,

There are different ways that people might handle the situation when connecting from your own LAN to your own DMZ server

Some might simply use the local IP address directly without NATing the DMZ server towards the LAN.

Some might NAT the DMZ server to the public IP address towards all the other ASA interfaces

Some might NAT the DMZ server only towards the WAN link of the ASA and configure DNS rewrite for the Static NAT translations so that the ASA would modify the replys from public DNS servers for your DMZ server to point to the local IP address rather than the public IP address.

To have the ASA modify the DNS reply from public DNS server you could use the Static NAT configuration like this

object network webserver

host 192.168.1.4

nat (dmz,outside) static 183.2.81.104 dns

The "dns" parameter would make sure that the DNS replys from public DNS server would return the local IP address of the DMZ server to the connecting host.

Naturally as you could configure the Static NAT also in the following way

object network webserver

host 192.168.1.4

nat (dmz,any) static 183.2.81.104

OR

object network webserver

host 192.168.1.4

nat (dmz,inside) static 183.2.81.104

object network webserver

host 192.168.1.4

nat (dmz,outside) static 183.2.81.104

Which would basically enable contacting the server with the public IP address directly from the "inside". Even if you have the destination interface of the Static NAT set to "any" it wouldnt mean that the traffic would actually take a turn on the "outside". It would simply go straight from "inside" to the "dmz". The destination interface "any" simply means that the DMZ server will be NAted to the public IP address towards "any" interface on the ASA.

Do notice that if you had the Static NAT configured as below

object network webserver

host 192.168.1.4

nat (dmz,outside) static 183.2.81.104

Then it would mean that the DMZ server would only be accessible with the public IP address from behind "outside" interface and no other interface on the ASA.

Hope I made any sense

- Jouni

View solution in original post

7 Replies 7

Hello Steve,

you need to change the ACL which is applied to outside interface. It should be pointed to your real IP address in the version above 8.3.

regards

Harish.

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

For your "inside" and "dmz" Dynamic PAT configuration I would suggest an alternative way to configure

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.0.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

In the event that your network got additional LAN and DMZ networks you would simply add the network under the "object-group" above and the Dynamic PAT would be set wihtout adding any additional NAT configurations.

Now regarding the "inside" to "dmz" traffic,

I am not quite sure how you want the NAT between those interfaces to work? Should the "inside" and "dmz" be able to communicate using their original IP addresses OR do you perhaps want to NAT some of the "dmz" server to the public IP address towards the "inside" also (with addition to doing the same towards "outside")

If you DONT need any NAT between the interfaces then you simply leave out ALL NAT configurations between "inside" and "dmz"

Let me know what the requirement for NAT is between "inside" and "dmz" and we can look what the needed configurations is.

Also please share the "packet-tracer" output

- Jouni

Harish,

I am using the object network webserver from above in my outside ACL, so I believe it is already pointing to the real address.

Jouni,

Now regarding the "inside" to "dmz" traffic,

I am not quite sure how you want the NAT between those interfaces to work?

That's just it, neither do I. Is there a preferred way to handle this?

My assumption is (based on my working configuration, and please correct me if i am wrong), that when inside users use the public IP to access the webservers, the packets get NATed to the ouside interface. The trafic then moves through the outside interface to the internet, where it is routed back to the public IP for the webserver. Then upon reaching the outside interface it is again NATed, this time to the webserver on the dmz.

If the above assumption is correct would it not be more efficient (band width and increased security) for the users to use the public IP, but have DNS re-write use the private IP address so that the traffic goes directly to the dmz and back without ever having to go out to the internet first? If this is indeed the case, how would this be set up because I am having a hard time wrapping my head around this?

I should probably mention that I have multiple public IPs and multiple servers in the DMZ. Also sitting on the inside network, I have a Small Business Server running ISA. So all inside traffic on 192.168.16.0 subnet gets NATed to 192.168.0.10. Yes I know a little over kill, but the SBS with ISA was there long before we brought the ASA into the mix. I just broke all this down into the simplest terms so that I could better understand the process. If I can get the one webserver NATed correctly, I can do the rest.

Steve

Hi,

There are different ways that people might handle the situation when connecting from your own LAN to your own DMZ server

Some might simply use the local IP address directly without NATing the DMZ server towards the LAN.

Some might NAT the DMZ server to the public IP address towards all the other ASA interfaces

Some might NAT the DMZ server only towards the WAN link of the ASA and configure DNS rewrite for the Static NAT translations so that the ASA would modify the replys from public DNS servers for your DMZ server to point to the local IP address rather than the public IP address.

To have the ASA modify the DNS reply from public DNS server you could use the Static NAT configuration like this

object network webserver

host 192.168.1.4

nat (dmz,outside) static 183.2.81.104 dns

The "dns" parameter would make sure that the DNS replys from public DNS server would return the local IP address of the DMZ server to the connecting host.

Naturally as you could configure the Static NAT also in the following way

object network webserver

host 192.168.1.4

nat (dmz,any) static 183.2.81.104

OR

object network webserver

host 192.168.1.4

nat (dmz,inside) static 183.2.81.104

object network webserver

host 192.168.1.4

nat (dmz,outside) static 183.2.81.104

Which would basically enable contacting the server with the public IP address directly from the "inside". Even if you have the destination interface of the Static NAT set to "any" it wouldnt mean that the traffic would actually take a turn on the "outside". It would simply go straight from "inside" to the "dmz". The destination interface "any" simply means that the DMZ server will be NAted to the public IP address towards "any" interface on the ASA.

Do notice that if you had the Static NAT configured as below

object network webserver

host 192.168.1.4

nat (dmz,outside) static 183.2.81.104

Then it would mean that the DMZ server would only be accessible with the public IP address from behind "outside" interface and no other interface on the ASA.

Hope I made any sense

- Jouni

Jouni,

Thanks for the light bulb moment.

 Even if you have the destination interface of the Static NAT set to "any" it wouldnt mean that the traffic would actually take a turn on the "outside". It would simply go straight from "inside" to the "dmz". The destination interface "any" simply means that the DMZ server will be NAted to the public IP address towards "any" interface on the ASA.

So basically the current way I have it configured

object network webserver

host 192.168.1.4

nat (dmz,any) static 183.2.81.104

is the correct way given my circumstances.  The old adage "If it isn't broken, don't fix it" applies here.

I now understand that my assumption about traffic flow based on the nat statement was incorrect and that the traffic is not going out to the internet first, but making a right hand turn into my dmz regardless of the fact that it is using the public IP address to reach it

I also now realize that accessing the webservers on the dmz with their private/local IPs would most likely not be possible in my situation base on my current network configuration. Since my LAN clients sit on the 192.168.16.0 subnet of my ISA server, if I tried to connect to the webserver using the private ip of 192.168.1.4 I would not get past the ISA server because the private IP range of addresses is not routable.

Thanks you again for the clarification and adding to my understanding of the situation.

Steve

Hi Jouni, what if the outisde interface is a ISP dhcp address then what is the config in the object should be? Thanks

object network webserver

host 192.168.1.4

nat (dmz,any) xxxx ??

Hi,

You dont usually configure Static NAT when you only have the one public IP address from the ISP and in your case that is even a DHCP address. If you were to configure the "outside" interface IP address with Static NAT to some internal hosts then you could not do any Dynamic PAT for other hosts behind the firewall.

What you would basically need to do is configure Static PAT with which you could basically forward the ports you need from public to local.

object network WEBSERVER

host 192.168.1.4

nat (dmz,outside) static interface service tcp 80 80

Which would use whatever IP address is configured on the "outside" interface as the NAT IP address.

- Jouni

Review Cisco Networking for a $25 gift card