04-25-2012 04:42 AM - edited 03-11-2019 03:57 PM
Hi,
I have a ASA with Inside (10.1.1.1/24) & DMZ (10.2.2.1/24) Interfaces.
I need to access one of server in DMZ (10.2.2.10) from Inside using NAT.
I have following NAT command entered
static (dmz,inside)10.1.1.10 10.2.2.10
is this syntax correct. If yes, how it is different from following command
static (inside,dmz) 10.2.2.10 10.1.1.10
04-25-2012 05:20 AM
Hi Shivaji,
There is wrong in any of the two commands. Depends what are you trying to do :
static (real_interface,nated_interface) translation_ip translated_ip
In the first case :
static (dmz,inside)10.1.1.10 10.2.2.10
The host that will be translated is in DMZ and has the IP 10.2.2.10, It will be transted in the INSIDE as 10.1.1.10
The second case :
static (inside,dmz) 10.2.2.10 10.1.1.10
The host that will be translated is in INSIDE and has the ip 10.1.1.10, it will be translated in the DMZ as 10.2.2.10
Dan
04-25-2012 05:58 AM
Hi Dan ,
Thanks,
Is there any restriction, like real_interface should be of higher security level as that of nated_interface
04-25-2012 06:07 AM
Hi ,
My pleasure.
There is no restriction regarding the real_interface.
But depending on your software version there is a requirement. In some versions is called NAT-CONTROL.
NAT-CONTROL - requires that the traffic from a higher security level to a lower security level , should be source nated in order to be permited - also from a lower to higher the traffic should have the destination translated. Historicaly speaking on PIX , this requirement could not be disabled and you had to do identity nat. Nat-control appeared on the software version 7.x , and currently dissapeard so if you are using a 8.4 software version nat-control it is not present.
Dan
04-25-2012 06:07 AM
Hello,
static (dmz,inside)10.1.1.10 10.2.2.10
when packet with destination IP 10.1.1.10 reaches inside interface of ASA it
is redirected to 10.2.2.10 on DMZ.
static (inside,dmz) 10.2.2.10 10.1.1.10
When packet with destination IP 10.2.2.10 hits DMZ it is redirected to
10.1.1.10 on inside
Thanks & Regards
Mohammed Imran
04-25-2012 06:11 AM
Hi Mohammed,
My understanding on static NAT is that is bidirectional , so it does not matter where the packet was received.
Are you telling that this is not the case ?
Dan
04-27-2012 09:07 AM
Dan,
Its kind of the case. Basically one method translates (presents) the source IP and the other the destination IP.
jon.marshall explans it here:
https://supportforums.cisco.com/thread/239441
ryan
04-27-2012 09:44 AM
Hi Ryan ,
Thank you for the link.
My post was directed to the fact that the static nat does not change only the DESTINATION.
As you can see in my last post , the static nat is bidirectional. This means that taking for example
static (dmz,inside)10.1.1.10 10.2.2.10
- if the traffic has been initiated from DMZ its changes the SOURCE.
- if the traffic has been initiated from INSIDE its changes the DESTINATION.
So the static NAT translates both source OR destination , depending on where the packet was initiated.
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide