Solved: Questions Regarding NAT on PIX/ASA

priedman1 · ‎04-12-2010

Hello Everyone,

I've done a bit of reading on the topic of NAT on the PIX/ASA but still have a few questions that I'm looking for clarification on.

Based on the diagram attached, I'm thinking there are 3 ways to get this working with NAT. There is no need on the PIX/ASA in the diagram to allow the users to access the Internet. The Internet here is used only as a method to establish a LAN-to-LAN IPSec tunnel.

Method 1: no nat-control command. This should exempt ALL traffic from NAT, right?

----------------------------

Method 2: Static command

static (Inside,DMZ) 10.132.1.0 10.132.1.0 netmask 255.255.255.0 0 0
static (Inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.240.0 0 0
static (Inside,DMZ) 10.2.2.0 10.2.2.0 netmask 255.255.240.0 0 0
static (Inside,DMZ) 10.3.3.0 10.3.3.0 netmask 255.255.240.0 0 0

static (DMZ,Inside) 10.132.65.0 10.132.65.0 netmask 255.255.255.0 0 0
static (DMZ,Inside) 10.132.65.0 10.132.65.0 netmask 255.255.255.0 0 0

static (Outside,DMZ) 10.16.1.0 10.16.1.0 255.255.255.0

-------------------------

Method 3: NAT/Global command

nat (Inside) 0 10.132.1.0 255.255.255.0
nat (Inside) 0 10.1.1.0 255.255.255.0
nat (Inside) 0 10.2.2.0 255.255.255.0
nat (Inside) 0 10.3.3.0 255.255.255.0

nat (DMZ) 0 10.132.65.0 255.255.255.0

nat (Outside) 0 10.16.1.0 255.255.255.0

or possibly this could work as well?

nat (Inside) 0 0.0.0.0 0.0.0.0

nat (DMZ) 0 0.0.0.0 0.0.0.0

nat (Outside) 0 0.0.0.0 0.0.0.0

- Do I also need "global" statements like these in order for the "nat" commands to work properly or is that just needed if I was sending traffic to the Internet so the clients could browse websites?

global (Outside) 0 interface
global (DMZ) 0 interface
global (Inside) 0 interface

- For traffic going from an interface with higher security level to a lower one, traffic should be allowed I believe.

- If going from a lower security level to a higher one, I know I need an ACL to permit the traffic.

- Do I also need a static NAT translation?

- Would the "nat (DMZ) 0 10.132.65.0 255.255.255.0" command work to exempt NAT on traffic from the lower security level interface to a higher one or would only the static NAT translation be looked at for this?

- If both "static" and "nat" commands, are the "static" commands looked at first before the "nat" commands?

Thanks for the help!

-Pete

Federico Coto Fajardo · ‎04-12-2010

Hi,

For traffic to flow from lower-security to higher-security interface you need:

STATIC NAT and ACL

If you have NAT-CONTROL disabled, you only need ACL

For traffic to flow from higher-security to lower-security interface you need:

NAT

If you have NAT-CONTROL disabled, you don't need any other commands.

If there's an existing ACL, it should allow the traffic.

NAT order of operation:

1. NAT 0 access-list

2. STATIC NAT/PAT

3. Policy NAT

4. Dynamic NAT/PAT

Federico.

View solution in original post

Federico Coto Fajardo · ‎04-12-2010

Hi,