Inside to DMZ static nat for host

Unanswered Question
Jun 12th, 2008
User Badges:

I have just a general question about the routing on firewall interfaces.


If I have a firewall inside interface 10.1.1.1


And my DMZ is 192.168.1.1


Say I have a host in the DMZ 192.168.1.100.


My workstation is 10.1.1.100 and I am using the firewall inside interface as my default gateway.



I should have a one to one access-list for:


static (inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0


When this is done, my understanding is that the DMZ host will see my workstation on the 10.1.1.0 network.


But,


If the above is all true (and this seems too simple), then the firewall is routing the packet, but why do I need the static?


Why can't the firewall do that without it?




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Thu, 06/12/2008 - 09:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


You can turn off NAT if you choose so you wouldn't always need the "static" statement.


But assuming you do have NAT enabled it is a rule for the Pix/ASA firewall that to allow traffic from a higher to a lower interface you need an access-list allowing the traffic and a NAT statement.


The PIX/ASA is quite unique in this respect, as least unique compared to the other types of firewall i have worked with. It seems counterintuitive that even if you don't want to NAT you still have tell the firewall you don't want to NAT (assuming you haven't turned off NAT altogether) ie.


static (inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.255.0


This is not to allow the firewall to route the packet. For example if the 10.1.1.0/2r4 network was reachable via an internal router then you would need to tell the Pix/ASA how to route to that network. The only reason you don't need a route is because it is directly connected.


Feel i haven't quite answered your question ?


Jon


wilson_1234_2 Thu, 06/12/2008 - 10:47
User Badges:

Thanks for the reply jon,


I am thinking that if you have a firewall, you most certainly will be NATing


I guess I dont understand why I need to tell my DMZ that My workstation is 10.1.1.100?


When I think of NAT I am thinking in terms of the Host in the DMZ "sees" my workstation as if it were on the same interface, so why not NAT my workstation to an address in the same subnet as the DMZ host?


What is the logic behind that?




Jon Marshall Thu, 06/12/2008 - 12:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


An example may help to clarify things


Your DMZ subnet = 192.168.5.0/24


static (inside,DMZ) 10.1.1.100 10.1.1.100 netmask 255.255.255.255


static (inside,DMZ) 192.168.5.100 10.1.1.100 netmask 255.255.255.255


static (inside,DMZ) 172.16.5.100 10.1.1.100 netmask 255.255.255.255


The second statement is obviously where you NAT the workstation to an address in the DMZ. You can do this and it would work fine. In fact you could also go with the third statement as well which presents your internal host as 172.16.5.100.


Both of these are used to present your internal host address as another address and indeed this is what NAT is usually used for. And both would work in your setup.


Usually you see firewall's Natting private IP's to public IP's so they can be accessed from the Internet and i suspect this is what you are seeing most of the time.


And this is what i meant by the first static statement being an idiosyncracy of the Pix/ASA. The first statement is where you don't actually want to NAT. On other firewalls you don't need to do anything but on the Pix/ASA, if you have not disabled NAT, you still have to tell the firewall you don't want to NAT these addresses. It's not intuitive but it's just something you have to know about Pix/ASA firewalls.


Jon


wilson_1234_2 Thu, 06/12/2008 - 12:48
User Badges:

Ok Jon,


Excellent( i may mess around and learn something)


So the answer is it does not mattter either way:


static (inside,DMZ) 10.1.1.100 10.1.1.100 netmask 255.255.255.255


static (inside,DMZ) 192.168.5.100 10.1.1.100 netmask 255.255.255.255



It seems that I usually see the static from inside to DMZ as you said, (you are telling the firewall you do not want to NAT the source address):


static (inside,DMZ) 10.1.1.100 10.1.1.100 netmask 255.255.255.255


Is there any advantage to doing it this way and not actually translating the address?




Jon Marshall Thu, 06/12/2008 - 12:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


No problem. In answer to your question "Is there any advantage ?"


As a general rule if i can avoid NAT i do. It reduces complexity and more importantly NAT does not work with all applications.


Avoiding complexity is always a good thing if you can still achieve what you need :-)


Jon


Actions

This Discussion