Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
0
Helpful
5
Replies

Why will I NAT to same IP

raimj
Level 1
Level 1

‎04-01-2011 01:12 PM - edited ‎03-11-2019 01:15 PM

Hi Guys,

I am looking at the config on a ASA for someone and what I am seeing is lot of Static NATing to the same Subnets netween diffrent zones like

static (dialdmz,dmz) 10.32.144.0 10.32.144.0 netmask 255.255.255.0

static (dialdmz,dmz) 10.32.145.0 10.32.145.0 netmask 255.255.255.0

static (dialdmz,dmz) 10.128.107.0 10.128.107.0 netmask 255.255.255.0

static (dialdmz,dmz) 10.128.12.0 10.128.12.0 netmask 255.255.254.0

Although for example the Dialdmz is on a totally different subnet (192.x.x.x) . I haven;t seen this type of config before, can anybody explain the purpose of this?

Thank you anticipated,

MJ.

Labels:
0 Helpful
5 Replies 5

Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-01-2011 01:20 PM

Hi MJ,

When nat-control is enabled, it is necessary that when traffic goes from a high security level to a lower security level it should be natted.

So instead of looking for a new subnet to nat to, this configuration is done to allow traffic to go as itself between interfaces.

I hope this helps. Please feel free to post any further queries if you have.

-Shrikant

PS: Please mark the question resolved, if you feel it has been answered. Do rate helpful posts. Thanks.

0 Helpful

raimj
Level 1
Level 1
In response to Shrikant Sundaresh

‎04-01-2011 01:27 PM

But the question is that dialdmz is in a totally new subnet say 192.168.1.x/24 and dmz is in 192.168.2.x/24

so natting like static (dialdmz,dmz) 10.32.148.64 10.32.148.64 netmask 255.255.255.192

will cause no effect on inter interface traffic?

I am still confused.

Thanks

0 Helpful

Yudong Wu
Level 7
Level 7

‎04-01-2011 01:27 PM

when NAT control is enabled, you must have a nat entry to much the traffic.

If the traffic is initiated from low security side to high security side, you must have a static NAT entry or NAT 0 accordingly.

So your static configuration will

1. let host in "dmz" side to initiate the traffic to "dialdmz" side (I am assuming dialdmz has high security level than dmz interface) by using the same IP in dialdmz. (the traffic need to be permited by ACL on dmz interface as well)

2. for the traffic from daildmz to dmz, the source IP of the packet will stay the same if they match those static NAT.

0 Helpful

DSPVGAdmin
Level 1
Level 1
In response to Yudong Wu

‎04-21-2011 02:57 AM

I understand the reason for this Static NAT proceedure from low to high security interfaces if Nat-Control is enabled, but it is not on my FWSM and it is still required? do you know the reason for that?

Or is there a command to check to see if it is, as no indication on contexts or system

Thanks

Simon

0 Helpful

Shrikant Sundaresh
Cisco Employee
Cisco Employee
In response to DSPVGAdmin

‎04-21-2011 05:30 AM

Hi Simon,

On an FWSM with multiple contexts, if two contexts share a particular interface, then a nat rule classifies which context the traffic goes into. Hence it is important to have the static nat rule.

The Classifier in multiple contexts classifies traffic on the basis of:

1. unique interface

2. unique mac address

3. nat translation

An FWSM has only 1 mac address, so option 2 is never used in FWSM multi context. So if interface is not unique, then you need to have a nat translation to identify which traffic should come to the context.

Hope this helps.

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card