Solved: Static NAT on ASA query

marcusbrutus · ‎11-05-2010

Hi,

Given the below setting:

static (dmz,outside) 33.33.33.1 10.0.0.1 netmask 255.255.255.255

If a packet comes from the inside to destination 33.33.33.1, how will the inspection and traffic flow go?

I am thinking that the firewall, upon receipt of the packet from an inside host, will forward the packet to the outside interface. Upon reaching the outside interface, since there is no ACL applied on the outside that will allow inside IP addresses to enter the DMZ zone, the packet get dropped.

Is the above analysis correct?

Thanks.

Maykol Rojas · ‎11-06-2010

Hello,

Sure, There will be no problem.

Try it out and let us know.

Thanks !

Mike

View solution in original post

Maykol Rojas · ‎11-05-2010

Hello,

Mike here I hope you are doing great. Not exactly, You will be able to access that resource only if you run DNS doctoring, Otherwise what you will be doing will be a hairping on the outside interface which is not allowed on the firewall. My suggestion for you if you want to access this host that is on the DMZ with the mapped IP, you can configure something like this

static (dmz,inside) 33.33.33.1 10.0.0.1 netmask 255.255.255.255

That way you will be able to access that resource with the Mapped IP instead of using the private. Here is a document for reference.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Hope it helps.

Mike

marcusbrutus · ‎11-05-2010

Hi Maykol,

Thanks for the reply.

If i have both configurations running on the firewall, will it work?

static (dmz,outside) 33.33.33.1 10.0.0.1 netmask 255.255.255.255

static (dmz,inside) 33.33.33.1 10.0.0.1 netmask 255.255.255.255

Thanks again.

Maykol Rojas · ‎11-06-2010

Hello,

Sure, There will be no problem.

Try it out and let us know.

Thanks !

Mike