Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2010
Views
0
Helpful
7
Replies

NAT from inside to outside and dmz

Go to solution
lcaruso
Level 6
Level 6

‎02-19-2011 06:53 PM - edited ‎03-11-2019 12:53 PM

In 8.3 and beyond, how do I NAT to both the outside and the dmz?

When I try this it complains

object network inside-network

nat (inside, any) dynamic interface

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
csaxena
Cisco Employee
Cisco Employee

‎02-19-2011 07:15 PM

Hi,

Please try the following commands and let me know if it resolves the issue.

object network  inside-network
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface
object network  inside-network_1
   subnet 0.0.0.0 0.0.0.0
   nat (inside,dmz) dynamic interface

Hope this helps. Please reply if you need further assistance.

Regards,

Chirag

P.S.: Please mark this thread as answered if you feel your query is answered. Do.rate helpful posts.

View solution in original post

0 Helpful

Go to solution
csaxena
Cisco Employee
Cisco Employee
In response to lcaruso

‎02-19-2011 07:48 PM

Hi,

Here is a very good  dcument that will elaborate on the pre 8.3 and new 8.3 nat statements.

https://supportforums.cisco.com/docs/DOC-9129

This is should help if you are familiar with pre-8.3 NAT.

The following link gives you details of nat statements in 8.3

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968

Hope this helps.

Regards,

Chirag

P.S.: Please mark this thread as answered if you feel your query is answered. Do.rate helpful posts.

View solution in original post

0 Helpful

Go to solution
csaxena
Cisco Employee
Cisco Employee
In response to lcaruso

‎02-19-2011 07:51 PM

Yes, identity nat will help.

You can configure nat(inside,dmz) source static obj-inside obj-inside destination static obj-dmz obj-dmz

Also, you will require access-list in inward direction on dmz interface to allow traffic to inside network.

Regards,
Chirag

View solution in original post

0 Helpful
7 Replies 7

Go to solution
csaxena
Cisco Employee
Cisco Employee

‎02-19-2011 07:15 PM

Hi,

Please try the following commands and let me know if it resolves the issue.

object network  inside-network
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface
object network  inside-network_1
   subnet 0.0.0.0 0.0.0.0
   nat (inside,dmz) dynamic interface

Hope this helps. Please reply if you need further assistance.

Regards,

Chirag

P.S.: Please mark this thread as answered if you feel your query is answered. Do.rate helpful posts.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to csaxena

‎02-19-2011 07:34 PM

Thanks for your reply.

I can see that would work, yet it looks awkward.

It's hard to imagine the designers of the new NAT would have it that way, so maybe I'm not asking the right question.

Here is my scenario:

A. these are still not correct or optimally implemented:

     dmz hosts need to contact inside hosts

     inside hosts need to contact dmz hosts

B. these are done and have been tested:

inside hosts need to contact outside hosts

object network inside-network
 nat (inside,outside) dynamic interface

dmz hosts need to contact outside hosts

object network dmz-network
 nat (dmz,outside) dynamic interface

outside hosts need to contact dmz hosts

object network server1
 nat (dmz,outside) static 24.a.b.c

outside hosts need to contact inside hosts

object network server2
 nat (inside,outside) static 24.x.y.z

can you show my a more elegant way to use 8.3 nat to accomplish my scenario?

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to lcaruso

‎02-19-2011 07:38 PM

My follow up question is for part A do I need to change the addresses at all?

Should I just be doing identity nat?

How do I decide when I need to hide private addresses from each other?

0 Helpful

Go to solution
csaxena
Cisco Employee
Cisco Employee
In response to lcaruso

‎02-19-2011 07:48 PM

Hi,

Here is a very good  dcument that will elaborate on the pre 8.3 and new 8.3 nat statements.

https://supportforums.cisco.com/docs/DOC-9129

This is should help if you are familiar with pre-8.3 NAT.

The following link gives you details of nat statements in 8.3

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968

Hope this helps.

Regards,

Chirag

P.S.: Please mark this thread as answered if you feel your query is answered. Do.rate helpful posts.

0 Helpful

Go to solution
csaxena
Cisco Employee
Cisco Employee
In response to lcaruso

‎02-19-2011 07:51 PM

Yes, identity nat will help.

You can configure nat(inside,dmz) source static obj-inside obj-inside destination static obj-dmz obj-dmz

Also, you will require access-list in inward direction on dmz interface to allow traffic to inside network.

Regards,
Chirag

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to csaxena

‎02-19-2011 09:09 PM

thanks. this is what I used

nat (inside,dmz) source static any any

0 Helpful

Go to solution
csaxena
Cisco Employee
Cisco Employee
In response to lcaruso

‎02-19-2011 09:33 PM

Gr8

I'm glad the issue is resolved.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card