Solved: NAT solution

s-santhosh · ‎08-25-2011

Hi,

We have a server in DMZ network with IP 10.1.1.20

Client VLANs(Local LAN users) are provided access to the 10.1.1.20

This server is also need to access via internet so created a NAT entry - Natted to public IP 192.168.1.20 (Just for understanding)

Now client VLAN users are able to access the server on port 80 using IP 10.1.1.20,but unabe to access to 192.168.1.20.

Is there any solution to have a access to public IP 192.168.1.20 on port 80 from Client VLAN

/San

varrao · ‎08-25-2011

Hi Santosh,

There is a possible workaround for it because with normal natting we cannot do this otherwise it would say conflicting nat statements, the workaround is as follows:

access-list abc permit ip host 10.1.1.20 any

access-list xyz permit ip host 10.1.1.20 any

static (DMZ,inside) 192.168.1.20 access-list abc

static (DMZ,inside) 10.1.1.20 access-list xyz

Let me know if this works for you, can you also tell me the ASA version that you are using??? Because it has a software limitation when it was tested.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-25-2011

Hi Santosh,

i had tried the config first before suggesting it to you, and it worked:

You would need to first remove the configuration for that you have for the inside users, mainly this static:

static (General_Services,Internet) tcp 192.168.1.20 www 10.1.1.20 www netmask 255.255.255.255

and then apply the one that was provided earlier.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-25-2011

Hi Santosh,

Yes there is a way to make it working, now you would need to do u-turning on the firewall. But for that can you provide me the configuration that you have for the outside access?? This would be required, and then we can plan how to configure iot.

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎08-25-2011

You would need the follwoing configuration for your inside users:

static (DMZ,inside) 192.168.1.20 10.1.1.20

nat (inside) 5 0.0.0.0 0.0.0.0

global (DMZ) 5 interface

and this should work for you.

P.S. - This is if you assume, local LAN users are on the inside interface.

Can you also tell me the nat statement that you have for the inside users to access the server on private ip??

Thanks,

Varun

Thanks,
Varun Rao

s-santhosh · ‎08-25-2011

Hi Varun,

Thanks for the solution... very soon i will share you the ACL's .

/San

varrao · ‎08-25-2011

No Problem Santosh, I would wait for your reply.

-Varun

Thanks,
Varun Rao

s-santhosh · ‎08-25-2011

Hi Varun,

Please find the below ACLs and NAT

access-list acl-in extended permit tcp 10.1.3.0 255.255.255.192 host 10.1.1.20 eq www
access-list acl-in extended permit tcp 10.1.4.0 255.255.254.0 host 10.1.1.2o eq www
access-list acl-in extended permit tcp 10.1.1.0 255.255.254.0 host 10.1.1.20 eq www

ACL is applied on inside interface

static (General_Services,Internet) tcp 192.168.1.20 www 10.1.1.20 www netmask 255.255.255.255

General-Services is DMZ interface

I have general question - Is the solution is a standard and works as a normal... I feel that this is very strange requirement.

Any more requirements I can share you...

/San

varrao · ‎08-25-2011

Hi Santosh,

So what your client needs it, they shoudl be able to access the server in DMZ, with both public and private ip right???

If so , why do they need it to be??

-Varun

Thanks,
Varun Rao

s-santhosh · ‎08-25-2011

Hi Varun,

Yes your are correct they need access to public and private IP address from LAN.

This is due to some project requirements itseems.

Its not client.. its a local requirement....:)

-San

varrao · ‎08-25-2011

Hi Santosh,

There is a possible workaround for it because with normal natting we cannot do this otherwise it would say conflicting nat statements, the workaround is as follows:

access-list abc permit ip host 10.1.1.20 any

access-list xyz permit ip host 10.1.1.20 any

static (DMZ,inside) 192.168.1.20 access-list abc

static (DMZ,inside) 10.1.1.20 access-list xyz

Let me know if this works for you, can you also tell me the ASA version that you are using??? Because it has a software limitation when it was tested.

Thanks,

Varun

Thanks,
Varun Rao

s-santhosh · ‎08-25-2011

Hi Varun, At present using this

Cisco Adaptive Security Appliance Software Version 8.2(2)

-Santhosh

varrao · ‎08-25-2011

It should definitely work then

Thanks,

Varun

Thanks,
Varun Rao

s-santhosh · ‎08-25-2011

Hi Varun,

Both ABC and XYZ are having the same host, so is it not possible to use a single ACL, like below

access-list abc permit ip host 10.1.1.20 any

static (DMZ,inside) 192.168.1.20 access-list abc

static (DMZ,inside) 10.1.1.20 access-list abc

-Santhosh

varrao · ‎08-25-2011

No No, thats the catch, you would need to use different acl's

-Varun

Thanks,
Varun Rao

s-santhosh · ‎08-25-2011

Hi Varun,

I added the ACL's and Statics as you given but no luck:(

But when i run packet tracer shows its allowed

Santhosh

varrao · ‎08-25-2011

Can you just clear the xlate for the server.

clear local-host 10.1.1.20

and try again.If it does not work, can you take the output of "show xlate | in 10.1.1.20"

Thanks,

Varun

Thanks,
Varun Rao