Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2377
Views
0
Helpful
5
Replies

static translation from dmz to inside on Asa 8.6

Go to solution
dkemptonmcs
Level 1
Level 1

‎12-21-2012 03:00 PM - edited ‎03-11-2019 05:40 PM

Recently upgraded to an Asa 5512x from a pix 515e. I have an Ipswitch secure MoveIT server on the dmz1 interface that needs to be accessed from both the inside and outside interfaces. I have setup a static nat from the outside to the dmz1 and it works, I can also connect from the inside interface. Now I need the MoveIT server to access the DNS server and email server on the inside interface so it can send notifications. On the pix I just created a static from the inside to the dmz1 using its own IP address - static (inside,dmz1) 192.168.1.7 192.168.1.7 net mask 255.255.255.255. I would then add the access-list to allow. How would I set this up with the Asa 8.6 commands?

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to dkemptonmcs

‎12-22-2012 09:34 AM

Hi,

The default operation of the new ASAs/Softwares is that you dont configure NAT if you dont need one.

So if you for example have the following interfaces

  • outside
  • lan1
  • lan2
  • dmz

If you want the lan1, lan2 and dmz to communicate between eachother with the actual IP addresses, you dont configure any type of NAT between them (even the ones that you used to do with the old software with the "static" commands)

Only situations where I have configured Twice NAT is when I have configured a L2L VPN or there is migrated some old 8.2 or below software Policy NAT.

So to my understanding you would probably have a new type of Static NAT for the dmz1 server towards outside

object network DMZ-STATIC

host 192.168.1.7

nat (dmz1,outside) static x.x.x.x dns

For the same server to communicate with other networks behind the firewall (LAN networks) you shouldnt really need any addiotional NAT configurations. Only have the access-rules permit the traffic if it already doesnt do so.

You can always post some configurations if you want someone to take a look through them.

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Eugene Korneychuk
Cisco Employee
Cisco Employee

‎12-21-2012 03:29 PM

Hello Donald,

If you want to have identity nat you can use the following syntax:

nat (inside,dmz1) source static obj-192.168.1.7 obj-192.168.1.7 destinatination static obj-remote-net obj-remote-net

Best Regards,

Eugene

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7
In response to Eugene Korneychuk

‎12-22-2012 06:12 AM

It's a common mistake to forget adding 'route-lookup' and 'no-proxy-arp'  to such identity NAT statements. From 8.4 you can experience strange errors if you don't use them.

0 Helpful

Go to solution
dkemptonmcs
Level 1
Level 1
In response to Eugene Korneychuk

‎12-22-2012 07:09 AM

Just to make sure, this wouldn't interfere with another static nat I have coming in from the outside to the same internal IP address of 192.168.1.7? It looks like your using twice nat correct?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to dkemptonmcs

‎12-22-2012 09:34 AM

Hi,

The default operation of the new ASAs/Softwares is that you dont configure NAT if you dont need one.

So if you for example have the following interfaces

  • outside
  • lan1
  • lan2
  • dmz

If you want the lan1, lan2 and dmz to communicate between eachother with the actual IP addresses, you dont configure any type of NAT between them (even the ones that you used to do with the old software with the "static" commands)

Only situations where I have configured Twice NAT is when I have configured a L2L VPN or there is migrated some old 8.2 or below software Policy NAT.

So to my understanding you would probably have a new type of Static NAT for the dmz1 server towards outside

object network DMZ-STATIC

host 192.168.1.7

nat (dmz1,outside) static x.x.x.x dns

For the same server to communicate with other networks behind the firewall (LAN networks) you shouldnt really need any addiotional NAT configurations. Only have the access-rules permit the traffic if it already doesnt do so.

You can always post some configurations if you want someone to take a look through them.

- Jouni

0 Helpful

Go to solution
dkemptonmcs
Level 1
Level 1
In response to Jouni Forss

‎12-23-2012 05:47 AM

Correct, works great. A lot easier to use the new Asa. Just need to learn the syntax. Thank you.

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card