cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3902
Views
2
Helpful
7
Replies

NAT Rule does not allow internet access

Mohamed Hamid
Level 1
Level 1

Hi Guys

I have the following in place

internal network IP: 172.1.1.1

Natted to  DMZ IP of 192.1.1.1

I require thart the internal machine is able to access the internet however this is not happening and when checking the traffic logs I can see that it is down to the NAT rule however I require this NAT rule in place as this allows authentication servers to commmuncate with server in the internal network.

My question is how can I get the internal IP to browse the internet without removing the NAT rule?

Kind Regards

7 Replies 7

varrao
Level 10
Level 10

Hi Mohammad,

What is the IOS version that you are using? also please share the nat statement that you currently have.

Thanks,

Varun

Thanks,
Varun Rao

If you are using ASA pre 8.3 version, then add another global (outside) statement:

global (outside) 1 interface

If you are using post 8.3 version, then:

object network 172.1.1.0_internal

  subnet 172.1.1.0 255.255.255.0

  nat (inside,outside) dynamic interface

Hoep that helps.

Thanks,

Varun

Thanks,
Varun Rao

Hi there

Thank you very much for your reply I am using 8.2 (5)

match ip internal host 172.1.1.1 DMZData any

    static translation to 192.1.1.1

I didnt quite understand your second reply? I am qutie a newbie so I do apologise, if the above can be done through asdm would be easier

much appreciated

Hello Mohamed,

Please follow the below example, my internal network is "10.10.10.0/24", as per setup below my internal network will have access to internet and if you want to allow any other network all you have to do is to add other network address on the next entry on the "allownatout" ACL.

global (outside) 1 interface

nat (inside) 1 access-list allownatout

access-list allownatout extended permit ip 10.10.10.0 255.255.255.0 any

"internal network IP: 172.1.1.1 Natted to  DMZ IP of 192.1.1.1"

the above two IP of yours are public IPs, they are not internal private IP.

FYI...

http://en.wikipedia.org/wiki/Private_network

Thanks

Rizwan Rafeek

Hi Rizwan

They are indeed but didnt want to share internal range however I will as following

Internal: 10.0.0.0/23

DMZ: 192.168.9.1/24

DMZ interfact points to a fortigate firewall which is my external firewall

Therefore all traffic from the cisco pix on DMZ interfact is indeed outside traffic, I have set my external fireall to accept all for now

I have created ACL to allow any to any IP on the internal network

However one of my servers has a nat rule in place that allows visibility to the DMZ network. Because of this nat rule it cannot browse the internet however it needs it for updates.

It is a static net rule

as follows

match ip il2AHdata host 10.0.0.10 192.168.9.1 any

    static translation to 192.168.9.9

When I remove this nat rule the server can access internet as normal.

These are the current traffic logs

|May 01 2012|14:06:13|302013|macserver01|52896|173.194.34.103|80|Built outbound TCP connection 256882 for dmzAHdata:173.194.34.103/80 (173.194.34.103/80) to il2AHdata:macserver01/52896 (192.168.9.9/52896)

6|May 01 2012|14:06:05|302013|macserver01|52865|173.194.34.102|80|Built outbound TCP connection 256879 for dmzAHdata:173.194.34.102/80 (173.194.34.102/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)

6|May 01 2012|14:05:33|302013|macserver01|52865|173.194.34.102|80|Built outbound TCP connection 256853 for dmzAHdata:173.194.34.102/80 (173.194.34.102/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)

6|May 01 2012|14:04:58|302013|macserver01|52865|173.194.34.102|80|Built outbound TCP connection 256821 for dmzAHdata:173.194.34.102/80 (173.194.34.102/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)

6|May 01 2012|14:04:50|302013|macserver01|52847|173.194.34.101|80|Built outbound TCP connection 256820 for dmzAHdata:173.194.34.101/80 (173.194.34.101/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)

6|May 01 2012|14:04:18|302013|macserver01|52847|173.194.34.101|80|Built outbound TCP connection 256689 for dmzAHdata:173.194.34.101/80 (173.194.34.101/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)

6|May 01 2012|14:03:43|302013|macserver01|52847|173.194.34.101|80|Built outbound TCP connection 256669 for dmzAHdata:173.194.34.101/80 (173.194.34.101/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)

You can see from the traffic logs that traffic is coming dow to the NAtted IP and not the real IP and thus no internet.

Am I missing anything?

Kind Regards

"DMZ interfact points to a fortigate firewall which is my external firewall"

"Therefore all traffic from the cisco pix on DMZ interfact is indeed outside traffic, I have set my external fireall to accept all for now"

DMZ is perimeter network segment and it is still consider to be internal segment however your external firewall is connected DMZ interface of PIX and the DMZ perimeter segment has been treated like an outside to access to internet cloud.

It is very difficult to analyze and troubleshoot this network.

Hi Rizwan

its as folllows

Cisco ASA || DMZ || External Firewall

Cisco has port connected to external firewall

Internal server whose gatway is the cisco is the only server that cannot access the internet because of the NAT rule in place.

When I remove the NAT rule it acccess internet fine

In the internetal IP port on cisco i have enabled any to any ip acl and same with dmz IP interface .

It seems like traffic is trying to go out on internet throug the NATed IP but there is no resposne as it does not know what to do with the  natted Ip believe.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: