Re: Static Taboo?

CSCO10286506 · ‎01-10-2011

Ok, so I have a question and no lab... I have a dmz segment on my ASA and its 10.10.25.0 for example. I have a PC that I need to advertise in to this segment and I don't want to advertise it as itself, and I don't want to advertise it as something on the .25 either so let's say I use 10.11.11.30. So my question is... if I do this and put in the appropriate ACL, would something on the DMZ be able to talk to the .11.30 I put in the dmz?

example

10.10.1.20 (workstation on the inside) advertised in to the dmz as 10.11.11.30 (static representation in the dmz)

static (inside,dmz) 10.11.11.30 10.10.1.20 netmask 255.255.255.255

thanks

rob

mirober2 · ‎01-10-2011

Hi Rob,

If I understand your requirements, then that config will work for you. The hosts in the DMZ will send traffic to 10.11.11.30 and the ASA will receive this, untranslate the address to 10.10.1.20, and send it on to the PC off the inside interface. As you mentioned, just make sure you have the appropriate ACLs to allow this.

Hope that helps.

-Mike

CSCO10286506 · ‎01-10-2011

Thanks Mike,

I couldn't see why it wouldn't but I have seen that not pan out in the past when I would assume things so I figured I would bounce it off the communitiy. I appreciate the response.

thanks

rob

mirober2 · ‎01-10-2011

Hi Rob,

No problem. If it doesn't work, go ahead and post sanitized copies of your NAT and ACL config so we can see what is wrong. Also, you can use the packet-tracer command to make sure all of the correct rules are being matched:

packet-tracer in dmz tcp 12345 10.11.11.30

Packet captures are also useful so you can see exactly where a flow is failing. Beyond that, we would need to make sure the DMZ hosts are getting the correct MAC address (i.e. make sure that the ASA has proxy ARP enabled).

-Mike