Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
4
Helpful
11
Replies

NAT problems on ASA5500

itadmin
Level 1
Level 1

‎07-16-2008 09:22 PM - edited ‎03-11-2019 06:15 AM

Hi all,

Help for a newbie please.

I have a problem with the inside network accessing web servers in the DMZ. I am getting portmap translation fail errors, however I need help with the command to allow all inside hosts access to the DMZ. It's a new firewall and I donot have to configure these often so my skills are limited.

I think I need to add the following commands:

nat (dmz) 1 192.168.200.0 255.255.255.0

access-group dmz_access_in in interface dmz

...and then appropriate ACLs

Current config as follows (some of the config suppressed):

ASA Version 7.1(2)

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 222.222.222.74 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.203.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.200.1 255.255.255.0

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host 222.222.222.75 eq smtp

access-list outside_access_in extended permit tcp any host 222.222.222.75 eq https

access-list outside_access_in extended permit tcp any host 222.222.222.75 eq pop3

access-list outside_access_in extended permit tcp any host 222.222.222.75 eq imap4

access-list outside_access_in extended permit tcp any host 222.222.222.78 eq www

access-list outside_access_in extended permit tcp any host 222.222.222.78 eq ftp

access-list outside_access_in extended permit tcp any host 222.222.222.77 eq www

access-list outside_access_in extended permit tcp any host 222.222.222.77 eq ftp

access-list outside_access_in extended permit tcp any host 222.222.222.75 eq www

access-list outside_access_in extended permit udp any host 222.222.222.78 eq domain

access-list outside_access_in extended permit tcp any host 222.222.222.78 eq domain

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.203.0 255.255.255.0

static (inside,outside) tcp 222.222.222.75 smtp 192.168.203.21 smtp netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.75 https 192.168.203.21 https netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.75 imap4 192.168.203.21 imap4 netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.75 pop3 192.168.203.21 pop3 netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.78 www 192.168.203.2 www netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.78 ftp 192.168.203.2 ftp netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.75 www 192.168.203.201 www netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.77 www 192.168.203.200 www netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.77 ftp 192.168.203.200 ftp netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.78 domain 192.168.203.200 domain netmask 255.255.255.255

static (inside,outside) udp 222.222.222.78 domain 192.168.203.200 domain netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 222.222.222.73 1

Labels:
0 Helpful
11 Replies 11

dhananjoy chowdhury
Level 5
Level 5

‎07-16-2008 09:52 PM

Hi,

Is there any specific reason you are using "nat-control" because by default it should be "no nat-control".

if you do "no nat-control" you can access your DMZ without any other NAT statements.

itadmin
Level 1
Level 1
In response to dhananjoy chowdhury

‎07-16-2008 09:54 PM

To be honest I am not sure what nat-control does exactly so no there is no specific reason for using nat-control.

What are the implications removing this command?

0 Helpful

dhananjoy chowdhury
Level 5
Level 5
In response to itadmin

‎07-16-2008 10:03 PM

What nat-control does is, it will work as old PIX systems , it specifies that all traffic passing through the firewall must have a specific NAT entry.

Read more here :-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml#backinfo

-- In your case I dont see any problems if you do "no nat-control".

0 Helpful

itadmin
Level 1
Level 1
In response to dhananjoy chowdhury

‎07-16-2008 10:37 PM

Thanks for your help, I have changed the config as per below. I have a host at address 192.168.200.2/24 in the dmz.

For it to access inside addresses do I need to add individual nat entries for each server it accesses?

Also the inside network can not access this host even after the changes?

interface Ethernet0/0

nameif outside

security-level 0

ip address 222.222.222.74 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.203.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.200.1 255.255.255.0

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host 222.222.222.75 eq smtp

access-list outside_access_in extended permit tcp any host 222.222.222.75 eq https

access-list outside_access_in extended permit tcp any host 222.222.222.75 eq pop3

access-list outside_access_in extended permit tcp any host 222.222.222.75 eq imap4

access-list outside_access_in extended permit tcp any host 222.222.222.78 eq www

access-list outside_access_in extended permit tcp any host 222.222.222.78 eq ftp

access-list outside_access_in extended permit tcp any host 222.222.222.77 eq www

access-list outside_access_in extended permit tcp any host 222.222.222.77 eq ftp

access-list outside_access_in extended permit tcp any host 222.222.222.75 eq www

access-list outside_access_in extended permit udp any host 222.222.222.78 eq domain

access-list outside_access_in extended permit tcp any host 222.222.222.78 eq domain

access-list dmz_access_in extended permit tcp any any

access-list dmz_access_in extended permit udp any any

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.203.0 255.255.255.0

static (inside,outside) tcp 222.222.222.75 smtp 192.168.203.21 smtp netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.75 https 192.168.203.21 https netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.75 imap4 192.168.203.21 imap4 netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.75 pop3 192.168.203.21 pop3 netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.78 www 192.168.203.2 www netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.78 ftp 192.168.203.2 ftp netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.75 www 192.168.203.201 www netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.77 www 192.168.203.200 www netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.77 ftp 192.168.203.200 ftp netmask 255.255.255.255

static (inside,outside) tcp 222.222.222.78 domain 192.168.203.200 domain netmask 255.255.255.255

static (inside,outside) udp 222.222.222.78 domain 192.168.203.200 domain netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 222.222.222.73 1

0 Helpful

a.alekseev
Level 7
Level 7
In response to itadmin

‎07-17-2008 01:28 AM

have a host at address 192.168.200.2/24 in the dmz.

For it to access inside addresses do I need to add individual nat entries for each server it accesses?

You have to have ACL that permits traffic from your DMZ server to inside.

0 Helpful

itadmin
Level 1
Level 1
In response to a.alekseev

‎07-17-2008 01:30 AM

Is that not covered by the rules:

access-list dmz_access_in extended permit tcp any any

access-list dmz_access_in extended permit udp any any

access-group dmz_access_in in interface dmz

0 Helpful

itadmin
Level 1
Level 1
In response to a.alekseev

‎09-09-2008 04:11 PM

Hi all,

I have not yet resolved my NAT issues from the DMZ to the inside network, been working on other projects but would like to have my DMZ functional so I can roll back the loose security policy I have.

I would like to enable all DMZ hosts to be able to access all INSIDE hosts, and set appropraite ALCs to control acecss. At present I have the following relevant configuration options:

interface Ethernet0/0

nameif outside

security-level 0

ip address 220.157.70.74 255.255.255.248

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.203.1 255.255.255.0

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.200.1 255.255.255.0

interface Management0/0

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit icmp any any

access-list dmz_access_in extended permit tcp any any

access-list dmz_access_in extended permit udp any any

access-list dmz_access_in extended permit icmp any any

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.203.0 255.255.255.0

nat (dmz) 0 192.168.200.0 255.255.255.0 outside

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

DMZ hosts cannot contact inside hosts at present. Sorry for my ignorance but there is probably a NAT rule that I have incorrectly configured, but I don't do much firewall stuff day to day and not really sure of the command needed.

Please help:)

0 Helpful

Not applicable
In response to itadmin

‎09-11-2008 02:04 AM

Hi,

Include the routes for ur inside as well as dmz interface as u have route for ur ouside interface.

route inside ---------------

route dmz ------------------

Also include this command:-

nat (dmz) 0 192.168.200.0 255.255.255.0

Regards

Mukesh.P

0 Helpful

samak9c
Level 1
Level 1
In response to

‎09-11-2008 07:10 AM

hi,

first of all , if u don't use VPN or private network (192.168.200.0) in your company toward outside , you have to delete [nat (inside) 0 access-list inside_nat0_outbound] command. it is no used command line

. easy command is static!

1.

no nat (dmz) 0 192.168.200.0 255.255.255.0

nat (dmz) 1 192.168.200.0 255.255.255.0

global (outside) 1 interface

static (inside,dmz) 192.168.203.0 192.168.203.0 netmask 255.255.255.0 0 0

Also you want map dmz address to public address , you can use static command what you want! like this~

static (dmz,outside) tcp 22.222.222.78 www 192.168.200.x 8080 netmask 255.255.255.255

0 Helpful

samak9c
Level 1
Level 1
In response to samak9c

‎09-11-2008 07:57 AM

..

0 Helpful

itadmin
Level 1
Level 1
In response to samak9c

‎09-11-2008 03:22 PM

Thats it! Thanks, all solved :)

Have a great day!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card