03-20-2014 05:39 PM - edited 03-07-2019 06:48 PM
I have this configuration:
int g0
ip address 1.1.1.1 255.255.255.0
nameif inside
security-level 100
int g1
ip address 2.2.2.2 255.255.255.0
nameif outside
security-level 0
int g2
ip address 3.3.3.3 255.255.255.0
nameif DMZ
security-level 50
route outside 0.0.0.0 0.0.0.0 2.2.2.100
object network REAL
host 1.1.1.5
object network MAPPED
host 5.5.5.5
nat (inside,DMZ) source static any any destination static MAPPED REAL unidirectional
------------------
1.1.1.5 is a server in the DMZ. Its public IP address to the internet is 5.5.5.5. I want to be able to reach the server from the inside interface using its REAL and MAPPED ip addresses. Furthermore, I want to be able to reach hosts on the inside network from that server using the server's real IP address. So, I only want it NATted when the inside host is trying to communicate with the server using its public IP.
In ASA 8.4.2, I was able to use the nat statement above and got the behavior I wanted. The ASA would know that the destination interface is "DMZ", NAT the traffic, and send it directly to the server.
In ASA 9.1.2, this doesn't work. The ASA wants to use the default route which tells it that the outgoing interface should be 'outside'. I had to do nat (inside,outside)
. But the problem with this is that now, the ASA is NATing it, sending it to the next hop on the outside who sends it back to the ASA. The ASA delivers it and it appears to work.
In my ASA 9.1.4 box, it also doesn't work. Also, it doesn't allow hosts on the inside to access the DMZ server using its real IP address anymore.
Does anyone have any insight regarding how to get ASA 9.1.2 to work like ASA 8.4?
03-20-2014 07:35 PM
As far as I am aware, there were no major NAT changes from 8.4 to 9.x, or at least I haven't seen them in the release notes. Have you tried opening a TAC case?
When you say that it's forcing you to use nat(inside,outside), how is it forcing that? I had a similar, but bidirectional, setup on a 9.14 ASA without any issues.
What's the requirement driving the need to access the server via both it's real and mapped IP?
Regards,
Mike
03-20-2014 09:17 PM
I have not opened a case yet. I will tomorrow.
I meant the situation is forcing me to use nat(inside,outside) because nat(inside,DMZ) syntax is not working as expected.
We have another subnet behind the inside interface where the hosts are using a DNS server on the internet. Therefore, the IP address for the server resolves to its external IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide