Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
934
Views
0
Helpful
3
Replies

Help understanding this NAT concept

Zahan Al-Rashid
Level 1
Level 1

‎04-11-2013 04:24 AM - edited ‎03-04-2019 07:33 PM

Hi,

I am going through the book and came accross question below:

Given the following partial ASA configuration, with all translation slots cleared, to

which address will host 10.0.0.101 be translated when initiating a session to web

server 172.16.0.5 on the DMZ network?

access-list NO_NAT permit ip host 10.0.0.101 172.16.0.32 255.255.255.224

nat-control

nat (inside) 5 access-list NO_NAT

nat (inside) 1 10.0.0.0 255.255.255.0 tcp 0 0 udp 0

nat (inside) 2 0.0.0.0 0.0.0.0 tcp 0 0 udp 0

global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224

global (DMZ) 2 172.16.0.101-172.16.0.254 netmask 255.255.255.0

global (DMZ) 5 interface

                  

The answer is that the NAT would fail and I am not 100% sure why. Here is how I understand it

The NO_NAT (NAT_ID 5) is an exemption rule to avoid nattide when going to that address.

The NAT_ID 1 :

nat (inside) 1 10.0.0.0 255.255.255.0 tcp 0 0 udp 0

global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224

is for the outside interface so does not apply in this case.


The NAT_ID 2:

nat (inside) 2 0.0.0.0 0.0.0.0 tcp 0 0 udp 0

global (DMZ) 2 172.16.0.101-172.16.0.254 netmask 255.255.255.0

Appears to Natting everything  on the DMZ interface to 172.16.0.101-172.16.0.254 netmask 255.255.255.0; so once it is natted should it be able to communited with server 172.16.0.5 on the DMZ network?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Mohamed Sobair
Level 7
Level 7

‎04-11-2013 05:48 AM

Yes, Communication with the current config would fail!

You just need to correct it to the following if you need host 10.0.0.101 NOT to be natted when connecting to Servers in the DMZ Network:

nat (inside) 0 access-list NO_NAT

access-list NO_NAT permit ip host 10.0.0.101 host 172.16.0.5

Regards,

Mohamed

0 Helpful

Zahan Al-Rashid
Level 1
Level 1
In response to Mohamed Sobair

‎04-11-2013 07:12 AM

Hi,


Here are the list of answers and D is the correct one:

a. 172.16.0.1 (the ASA DMZ interface IP)

b. 172.16.0.101

c. 209.165.200.235

d. None of these answers are correct because the translation attempt will fail.

But as I explained before wouldn't the config below NAT the address?

The NAT_ID 2:

nat (inside) 2 0.0.0.0 0.0.0.0 tcp 0 0 udp 0

global (DMZ) 2 172.16.0.101-172.16.0.254 netmask 255.255.255.0

Appears to Natting everything  on the DMZ interface to 172.16.0.101-172.16.0.254 netmask 255.255.255.0; so once it is natted should it be able to communited with server 172.16.0.5 on the DMZ network?  Why would the NAT attempt fail?

0 Helpful

Mohamed Sobair
Level 7
Level 7
In response to Zahan Al-Rashid

‎04-15-2013 07:58 AM

Hello,

The example illustrate of Natting all inside interface subnet when communicating with the DMZ. The Nat in this case wouldnt fail, and if the Inside needs to access the (172.16.0.5), it will be possible.

However, Just make sure there is no Overlaping of addresses from the source to the destination whenever NAT Occurs!

Regards,

Mohamed

0 Helpful
Customers Also Viewed These Support Documents