12-21-2012 03:00 PM - edited 03-11-2019 05:40 PM
Recently upgraded to an Asa 5512x from a pix 515e. I have an Ipswitch secure MoveIT server on the dmz1 interface that needs to be accessed from both the inside and outside interfaces. I have setup a static nat from the outside to the dmz1 and it works, I can also connect from the inside interface. Now I need the MoveIT server to access the DNS server and email server on the inside interface so it can send notifications. On the pix I just created a static from the inside to the dmz1 using its own IP address - static (inside,dmz1) 192.168.1.7 192.168.1.7 net mask 255.255.255.255. I would then add the access-list to allow. How would I set this up with the Asa 8.6 commands?
Sent from Cisco Technical Support iPad App
Solved! Go to Solution.
12-22-2012 09:34 AM
Hi,
The default operation of the new ASAs/Softwares is that you dont configure NAT if you dont need one.
So if you for example have the following interfaces
If you want the lan1, lan2 and dmz to communicate between eachother with the actual IP addresses, you dont configure any type of NAT between them (even the ones that you used to do with the old software with the "static" commands)
Only situations where I have configured Twice NAT is when I have configured a L2L VPN or there is migrated some old 8.2 or below software Policy NAT.
So to my understanding you would probably have a new type of Static NAT for the dmz1 server towards outside
object network DMZ-STATIC
host 192.168.1.7
nat (dmz1,outside) static x.x.x.x dns
For the same server to communicate with other networks behind the firewall (LAN networks) you shouldnt really need any addiotional NAT configurations. Only have the access-rules permit the traffic if it already doesnt do so.
You can always post some configurations if you want someone to take a look through them.
- Jouni
12-21-2012 03:29 PM
Hello Donald,
If you want to have identity nat you can use the following syntax:
nat (inside,dmz1) source static obj-192.168.1.7 obj-192.168.1.7 destinatination static obj-remote-net obj-remote-net
Best Regards,
Eugene
12-22-2012 06:12 AM
It's a common mistake to forget adding 'route-lookup' and 'no-proxy-arp' to such identity NAT statements. From 8.4 you can experience strange errors if you don't use them.
12-22-2012 07:09 AM
Just to make sure, this wouldn't interfere with another static nat I have coming in from the outside to the same internal IP address of 192.168.1.7? It looks like your using twice nat correct?
Sent from Cisco Technical Support iPad App
12-22-2012 09:34 AM
Hi,
The default operation of the new ASAs/Softwares is that you dont configure NAT if you dont need one.
So if you for example have the following interfaces
If you want the lan1, lan2 and dmz to communicate between eachother with the actual IP addresses, you dont configure any type of NAT between them (even the ones that you used to do with the old software with the "static" commands)
Only situations where I have configured Twice NAT is when I have configured a L2L VPN or there is migrated some old 8.2 or below software Policy NAT.
So to my understanding you would probably have a new type of Static NAT for the dmz1 server towards outside
object network DMZ-STATIC
host 192.168.1.7
nat (dmz1,outside) static x.x.x.x dns
For the same server to communicate with other networks behind the firewall (LAN networks) you shouldnt really need any addiotional NAT configurations. Only have the access-rules permit the traffic if it already doesnt do so.
You can always post some configurations if you want someone to take a look through them.
- Jouni
12-23-2012 05:47 AM
Correct, works great. A lot easier to use the new Asa. Just need to learn the syntax. Thank you.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide