NAT ID Priority Issue

Ganesan Palaniappan · ‎05-02-2012

Hi All,

I have a Cisco ASA Firewall where it have three legs named as inside, dmz and outside with the security levels 100,50 & 0 respectively.

i have the below configuration :

nat (inside) 75 access-list outnat
nat (inside) 25 access-list dmznat

global (dmz) 25 interface
global (outside) 75 interface

access-list dmznat extended permit icmp any any

access-list outnat extended permit icmp any any

---- Now if i am trying to ping any of the Servers from the Inside towards the DMZ Server i am unable to do, But outside Servers are able to ping.

Once i removing the line " access-list outnat extended permit icmp any any" then i am able to ping all the DMZ Servers IP but not outside ip address.

Why nat id 25 is not taking more priority by default ? Once i am removing the ICMP access from nat acl outnat only i am able to ping the DMZServers.

Please help me how it is taking the nat id prioritized ?

Regards

GanAlagu07

varrao · ‎05-02-2012

Hi Ganesan,

Nat ID's are not used for deciding the priority, they are only used to match the corresponding global statements. If you have multiple nat and global statements, they are matched from top to bottom, so when you try to ping the DMZ, since you have any any access-list, it falls in the first nat statement, but te corresponding global for it is the global (outside) and the packet is dropped.

When you remove the first nat statement, then the DMZ traffic hits the correct nat statement, but then the inside to outside traffic is blocked, since you have removed the nat for it.

What you need to do is, specifiy very strict ACL's, lets say your dmz is 192.168.1.0/24 and inside is 10.1.1.0/24, then you would just need:

nat (inside) 75 192.168.1.0 255.255.255.0

global (outside) 75 interface

global (dmz) 75 interface

Thats it and it would work like a charm, you can have multiple global statements for the same nat statement.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao