03-21-2016 12:50 PM - edited 03-12-2019 12:31 AM
Hi Everyone,
If traffic flow is from
Source Interface is DMZ to Destination interface is inside we create ACL to allow the traffic.
Source IP 192.168.50.x
Destination IP is 10.50.50.x
But i saw at our clients ASA that i need below NAT to make it work
static (inside,DMZ) 10.50.50.1 10.50.50.1 netmask 255.255.255.255
Need to know is this normally done in networks?
Regards
MAhesh
03-21-2016 01:31 PM
Mahesh
Yes it is with NAT in use because for traffic to flow from a lower to higher security level you need -
1) an acl entry as you say
2) a static NAT statement to translate the traffic.
Your statement simply doesn't translate the IP but it is still needed.
Jon
03-21-2016 01:44 PM
Hi Jon,
Thanks for reply.
So if traffic flow is from low to high security interface then i will need 2 NAT statements?
One from source to destination and other from destination to source?
Regards
MAhesh
03-21-2016 01:47 PM
No, you only need that NAT statement because a static NAT statement works both ways
So if the traffic is sent from the inside to the DMZ the source IP is changed and if traffic is sent from the DMZ to the inside the destination IP is changed.
Jon
03-21-2016 01:59 PM
So to make it work i can also use NAT statement from DMZ to inside right?
Instead of using NAT statement from Inside to DMZ?
Regards
MAhesh
03-21-2016 02:10 PM
No the NAT has to be that way round.
Think of it like a static NAT statement you would use when you have a server in a DMZ and you want to give internet access to it.
You don't NAT the internet IPs coming in, you simply NAT the DMZ server IP to a public IP.
This is the same principle here it's just that you are allowing access from the DMZ to the inside.
Jon
03-21-2016 02:19 PM
But when i run the packet tracer from source as DMZ to inside it hit 2 NAT rules?
one is static NAT which i configured what is other NAT rule then?
Regards
MAhesh
03-21-2016 02:23 PM
Don't know.
Can you post the packet tracer output ?
Jon
03-21-2016 02:39 PM
Here is output
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,DMZ) 10.50.50.1 10.50.50.1 netmask 255.255.255.255
nat-control
match ip inside host 10.50.50.1 DMZ any
static translation to 10.50.50.1
translate_hits = 0, untranslate_hits = 9
Additional Information:
NAT divert to egress interface inside
Untranslate 10.50.50.1/0 to 10.50.50.1/0 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_acl in interface DMZ
access-list DMZ_acl extended permit tcp host 192.168.50.1 any eq https log
Additional Information:
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,Corp) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
nat-control
match ip DMZ 192.168.50.0 255.255.255.0 Corp any
static translation to 192.168.50.0
translate_hits = 7933173, untranslate_hits = 23054
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,DMZ) 10.50.50.1 10.50.50.1 netmask 255.255.255.255
nat-control
match ip inside host 10.50.50.1 DMZ any
static translation to 10.50.50.1
translate_hits = 0, untranslate_hits = 9
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) 10.50.50.1 10.50.50.1 netmask 255.255.255.255
nat-control
match ip inside host 10.50.50.1 DMZ any
static translation to 10.50.50.1
translate_hits = 0, untranslate_hits = 9
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3804212927, packet dispatched to next module
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Regards
MAhesh
03-21-2016 02:48 PM
Mahesh
You wouldn't happen to have the firewall configuration would you ?
Not sure what the (DMZ,corp) NAT is doing.
I did think maybe the DMZ source IPs were being translated to something else but that doesn't seem to be the case.
Jon
03-21-2016 02:55 PM
let me know what you wanna see?
i can post it
03-22-2016 08:56 AM
Mahesh
Sorry, I missed your reply.
If possible can you post the NAT configuration from the firewall.
Jon
03-22-2016 08:42 PM
will try to do as this firewall has lot of NAT config.
Regards
Mahesh
03-21-2016 09:43 PM
Hi Mahesh ,
By default static NAT is bidirectional ( Traffic can initiate from inside either initiate from outside until you disable the bidirectional ) .
BR ,
Mani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide