cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
377
Views
0
Helpful
13
Replies

static NAT config from Destination to source

mahesh18
Level 6
Level 6

Hi Everyone,

If traffic flow is from

Source Interface  is DMZ to Destination interface is inside we create ACL to allow the traffic.

Source IP 192.168.50.x

Destination IP is 10.50.50.x

But i saw at our clients ASA that i need below NAT to make it work

static (inside,DMZ) 10.50.50.1 10.50.50.1  netmask 255.255.255.255

Need to know is this  normally done in networks?

Regards

MAhesh

13 Replies 13

Jon Marshall
Hall of Fame
Hall of Fame

Mahesh

Yes it is with NAT in use because for traffic to flow from a lower to higher security level you need -

1) an acl entry as you say

2) a static NAT statement to translate the traffic.

Your statement simply doesn't translate the IP but it is still needed.

Jon

Hi Jon,

Thanks for reply.

So if traffic flow is from low to high security interface then i will need 2 NAT statements?

One from source to destination and other from destination to source?

Regards

MAhesh

No, you only need that NAT statement because a static NAT statement works both ways

So if the traffic is sent from the inside to the DMZ the source IP is changed and if traffic is sent from the DMZ to the inside the destination IP is changed.

Jon

So to make it work i can also use NAT statement from DMZ to inside right?

Instead of using NAT statement from Inside to DMZ?

Regards

MAhesh

No the NAT has to be that way round.

Think of it like a static NAT statement you would use when you have a server in a DMZ and you want to give internet access to it.

You don't NAT the internet IPs coming in, you simply NAT the DMZ server IP to a public IP.

This is the same principle here it's just that you are allowing access from the DMZ to the inside.

Jon

But when i run the packet tracer from source as DMZ to inside it  hit 2 NAT rules?

one is static NAT which i configured what is other NAT rule then?

Regards

MAhesh

Don't know.

Can you post the packet tracer output ?

Jon

Here is output


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,DMZ) 10.50.50.1 10.50.50.1 netmask 255.255.255.255
nat-control
match ip inside host 10.50.50.1 DMZ any
static translation to 10.50.50.1
translate_hits = 0, untranslate_hits = 9
Additional Information:
NAT divert to egress interface inside
Untranslate 10.50.50.1/0 to 10.50.50.1/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_acl in interface DMZ
access-list DMZ_acl extended permit tcp host 192.168.50.1 any eq https log
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,Corp) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
nat-control
match ip DMZ 192.168.50.0 255.255.255.0 Corp any
static translation to 192.168.50.0
translate_hits = 7933173, untranslate_hits = 23054
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,DMZ) 10.50.50.1 10.50.50.1 netmask 255.255.255.255
nat-control
match ip inside host 10.50.50.1 DMZ any
static translation to 10.50.50.1
translate_hits = 0, untranslate_hits = 9
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) 10.50.50.1 10.50.50.1 netmask 255.255.255.255
nat-control
match ip inside host 10.50.50.1 DMZ any
static translation to 10.50.50.1
translate_hits = 0, untranslate_hits = 9
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3804212927, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Regards

MAhesh

Mahesh

You wouldn't happen to have the firewall configuration would you ?

Not sure what the (DMZ,corp) NAT is doing.

I did think maybe the DMZ source IPs were being translated to something else but that doesn't seem to be the case.

Jon

let me know what you wanna see?

i can post it

Mahesh

Sorry, I missed your reply.

If possible can you post the NAT configuration from the firewall.

Jon

will try to do as this firewall has lot of NAT config.

Regards

Mahesh

Hi Mahesh ,

  By default static NAT is bidirectional ( Traffic can initiate from inside either initiate from  outside until you disable the bidirectional ) .

BR ,

Mani 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: