08-08-2012 07:08 PM - edited 03-11-2019 04:40 PM
Our ASA firewall with SW version 8.2 has three active interfaces: outside w/ security level 0, inside w/ security level 100 and local w/ security level 90. The server, IP 192.168.2.10, on the local interface needs to send print jobs to printers, IP addresses 172.20.4.30 and .31 located on the inside interface. The configuration below along with an access list on the local interface allows the server to print to the printers. I’m trying to get a grasp on the different NAT types and configurations and would appreciate a basic explanation of how this configuration works.
Thanks in advance.
Jeff
static (inside,local) 172.20.4.30 172.20.4.30
static (inside,local) 172.05.4.31 172.20.4.31
access-list printers_access permit tcp host 192.168.2.10 host 172.20.4.30 eq 9100
access-list printers_access permit tcp host 192.168.2.10 host 172.20.4.31 eq 9100
nat (local) 10 access-list printers_access
global (inside) 10 interface
Solved! Go to Solution.
08-12-2012 07:36 PM
Hello Jeff,
Here is the Grasp of it. Normally on all Companys, they have a regular PAT to go out to the internet. That would be something like this:
Nat (inside) 1 0 0
Global (outside) 1 interface
That being said, with this particular line (Nat (inside) 1 0 0) you are practically forcing everything to be natted, no matter where it goes.
In a particular Case that you need to access the printers on the inside, there has to be a translation. Mainly because the packet when it comes from local, gets to the inside, the reply packet will (again) try to find a translation given the command (Nat (inside) 1 0 0).
To overcome this problem, self translation is created, just like the two lines you have here:
static (inside,local) 172.20.4.30 172.20.4.30
static (inside,local) 172.05.4.31 172.20.4.31
The static nats take precedence over the regular NAT/PAT, so, when the reply packet comes in, instead of trying to match (Nat (inside) 1 0 0), they will just hit the static (which translates them to themselves) and the communication flows fine.
Same thing with the ones on the DMZ interface, however, this ones are really particular. In case there is no default gateway configured on the printers, in case a packet comes from the local interface, they will reach the printers with an IP of 192.168.2.10. In that case, the printers dont know how to return the packet (because they dont know the network and dont have a default gateway configured).
This is Mainly why, you will need to translate those "local" hosts to an IP that is free on the inside subnet. You know that the interface inside is not done or used for anything else, so it is ok that you translate those addresses on the local subnet to the inside IP address of the firewall. With that configuration, packets will arrive to the printers with an IP address of a known host on the subnet, reply to the inside IP address of the firewall, then the firewall unstranslate the address to the host on the local interface and the communication will flow without issues.
Hope this makes it a bit clear.
PS, (Some of the stuff explained are assumed, just like the fact that the printers may not have a default gateway or will not respond to something that is not sitted on the same subne)
Mike
08-12-2012 07:36 PM
Hello Jeff,
Here is the Grasp of it. Normally on all Companys, they have a regular PAT to go out to the internet. That would be something like this:
Nat (inside) 1 0 0
Global (outside) 1 interface
That being said, with this particular line (Nat (inside) 1 0 0) you are practically forcing everything to be natted, no matter where it goes.
In a particular Case that you need to access the printers on the inside, there has to be a translation. Mainly because the packet when it comes from local, gets to the inside, the reply packet will (again) try to find a translation given the command (Nat (inside) 1 0 0).
To overcome this problem, self translation is created, just like the two lines you have here:
static (inside,local) 172.20.4.30 172.20.4.30
static (inside,local) 172.05.4.31 172.20.4.31
The static nats take precedence over the regular NAT/PAT, so, when the reply packet comes in, instead of trying to match (Nat (inside) 1 0 0), they will just hit the static (which translates them to themselves) and the communication flows fine.
Same thing with the ones on the DMZ interface, however, this ones are really particular. In case there is no default gateway configured on the printers, in case a packet comes from the local interface, they will reach the printers with an IP of 192.168.2.10. In that case, the printers dont know how to return the packet (because they dont know the network and dont have a default gateway configured).
This is Mainly why, you will need to translate those "local" hosts to an IP that is free on the inside subnet. You know that the interface inside is not done or used for anything else, so it is ok that you translate those addresses on the local subnet to the inside IP address of the firewall. With that configuration, packets will arrive to the printers with an IP address of a known host on the subnet, reply to the inside IP address of the firewall, then the firewall unstranslate the address to the host on the local interface and the communication will flow without issues.
Hope this makes it a bit clear.
PS, (Some of the stuff explained are assumed, just like the fact that the printers may not have a default gateway or will not respond to something that is not sitted on the same subne)
Mike
08-14-2012 08:23 AM
Mike,
Thank you for the explanation as it helped a lot. My problem has been the understanding of static identity NAT:
static (inside,local) 172.20.4.30 172.20.4.30. I'm still a little fuzzy as to it's use and when to use it. I'm also trying to get a grasp on when to use what NAT type as I'm good with the basics of dynamic NAT and PAT as would be used for Internet access from an inside network.
Thanks,
Jeff
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: