cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4138
Views
0
Helpful
6
Replies

Best way to configure NAT - ASA 5520?

Aileron88
Level 1
Level 1

Hi all,

If I have an ASA 5520 with an INSIDE interface, a DMZ interface and a WAN interface what would be the best way to configure NAT? If I configure nat-control and a nat (inside) 1 0.0.0.0 0.0.0.0 this will configure everything to be NAT'd when passing from the INSIDE interface out.

My question is what about the devices I want to access in the DMZ from the inside for management etc? I'm guessing the ASA isn't smart enough to realise you're accessing hosts in it's DMZ interface so do you have to configure a nat 0 rule for every subnet within the DMZ you want to access or is there an easier way to do it? It's worth noting that the same devices will be accessing the OUTSIDE network and the DMZ network from the INSIDE network.

Thanks,

Adam

6 Replies 6

andrew.prince
Level 10
Level 10

Checkout code 8.3 - the nat rules have been changed.

Sent from Cisco Technical Support iPad App

Sorry I should have said, the firewall is on 7.2 and cannot be upgraded to version 8 as it does not have enough RAM.

Regards,

Adam

John Blakley
VIP Alumni
VIP Alumni

Adam,

You would configure nat like you have "nat (inside) 1 0 0", but you then would match that nat to a global statement "global (outside) 1 interface". This would nat all outbound traffic as whatever your public address is on the outside interface.

DMZ traffic on the other hand you wouldn't want to nat between your lan and dmz traffic, so you'd create an acl and apply that to your nat 0. Supposed you have 10.10.10.0/24 on the inside and 192.168.1.0/24 in the dmz. You would create an acl and apply it to nat 0:

access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

For DMZ traffic to nat out, you would also create a nat "1" for it to use the same global as your inside:

nat (dmz) 1 192.168.1.0 255.255.255.0

If you have other inside subnets like 172.50.50.0/24, you would just add this to your nonat acl like above.

HTH, John *** Please rate all useful posts ***

Aileron88
Level 1
Level 1

Thanks for the concise reply. If INSIDE hosts match a 'no Nat' rule to the DMZ I'm assuming they will still have to pass through the access lists I have configured inbound on the INSIDE?

Sent from Cisco Technical Support Android App

That's correct. If you have a rule that denies telnet into the dmz or out from the inside anywhere, then it will be dropped before natted.

HTH, John *** Please rate all useful posts ***

Personally, if it were me, I would disable nat control. Remember too, that, ACLs on an ASA, depend on the direction of your traffic. For instance, if you have an outside interface of 0, an inside interface of 100, and let's say a DMZ interface of 50. You do not have to configure any ACLs for a higher security level interface going into a lower level security interface. Now, you can configure an ACL, but you don't have to. If you're going from a lower security level interface to a higher level security interface you will have to configure an ACL, otherwise everything will be dropped by default.

Are you wanting your DMZ network to be nat'd to your inside hosts for security reasons?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: