NAT problem, cannot interoperability with internal and DMZ zone

yong khang NG · ‎06-07-2011

Hi forumers'

Want to ask about conceptual network design.

as we seen from the topology, router C881 will do the NAT for the traffic from public internet to internal network that reside privately.

First hop will reach ASA firewall. Ethernet 0/1 is main for internal server farm. The sub-interface of Ehternet 0/1.301 and Ehternet 0/1.302 used for DMZ zone, with 2 different publich IP range.

My problem statement:

1. If i apply ip nat on the C881 router, i can't reach the server reside at DMZ zone.

2. apart of design requirement, there's no NAT at ASA....

Any idea how i can resolve such network design?

Thanks

Noel

Jennifer Halim · ‎06-07-2011

What is the version of your ASA?

Since the traffic is from lower security level towards higher security level, you would also need to apply access-list on ASA outside interface to allow the traffic to go through.

Further to that, on the router, you would also need to configure route for those server farm subnets to be routed towards the ASA outside interface.

Hope that helps.

yong khang NG · ‎06-07-2011

Hi Jennifer,

my ASA running on 8.4. and the server reside at DMZ IS is using public IP.

Would this cause the conflict? thanks

Noel

Jennifer Halim · ‎06-07-2011

No, it shouldn't cause any conflicts.

Are you doing public to public address NATing on the router? I assume different sets of public address that you are doing the NATing on?

and route for those DMZ public subnet on the router towards ASA outside interface?

yong khang NG · ‎06-07-2011

Hi Jennifer,

There's no public to public NATTING, NATTING only happen on public to server reside at server farm.

For DMZ, since it's public IP, the router only doing route to the DMZ zone.

Would it work in this case? thanks

Noel

Jennifer Halim · ‎06-07-2011

Yes, the router can just do route to the ASA towards the DMZ subnet. No problem at all.

Sorry, from your initial post, I thought you are doing NAT as well, as you mention "

If i apply ip nat on the C881 router, i can't reach the server reside at DMZ zone.".

But yeah, just route on the router will work if the DMZ is already configured with public subnet.

yong khang NG · ‎06-08-2011

Hi Jennnifer,

ok, so now the resolution i jsut need to stick with your previous statement:

"Since the traffic is from lower security level towards higher security level, you would also need to apply access-list on ASA outside interface to allow the traffic to go through"

something not clear, i shoudl create the rule at outside_access_in or IPS-A-DMZ_access_in ?

thanks

Noel

Jennifer Halim · ‎06-08-2011

since the traffic is originated from the internet, coming inbound towards the DMZ server, the access-list needs to be created on the outside interface on the inbound direction.

So guessing that outside_access_in is your outside ACL, then please add the permit for those traffic onto the ACL.

yong khang NG · ‎06-08-2011

hi jennifer,

i try create a rule that any-->IPS-A-DMZ on the outside_access_in, it seems that cannot go thru. i try remotely telnet but cannot go.

i check on the log it showing this message: as attach

anything i miss again?

Noel

Jennifer Halim · ‎06-08-2011

The logs seems to suggest that the TCP SYN is being sent, however, there is no complete TCP 3 way handshake, therefore the TCP connection is getting Reset.

Can you please check if the DMZ server is listening on port 25, and also has the correct default gateway back towards the ASA DMZ interface?

A copy of the ASA configuration might help.

yong khang NG · ‎06-12-2011

Hi Jennifer,

Greeting. The problem resolve as everybody reach the limit and -- revamp the whole config. haha.

thanks for the guidance these days.

Noel