09-25-2008 06:28 AM - edited 03-11-2019 06:49 AM
I am trying to figure out why I would need a NAT pool for local users accessing the DMZ. Currently I am in the mist of migrating from PIX 515e to ASA 5510 and I'm reviewing my configs. I have the following line in my PIX:
global (dmz) 10 10.1.4.50-10.1.4.99
And when I look at logs on servers on the DMZ users that are coming from the 10.1.1.x/24 network are being assigned a random IP from that 10.1.4.50 -99 block. I would rather not do this if I dont need to.
Any ideas or suggestions?
09-25-2008 06:35 AM
You may be filtering on the servers in the DMZ which IP addresses can access certain services on the DMZ servers?
You will see another config line - something like:-
nat (inside) 10 - blah blah ?
If you remove this - the inside IP addresses will not longer be natt'ed.
BEFORE you remove anything - check with your server admins to see if there is a specific reason why you would NAT from the Inside to the DMZ.
HTH>
09-25-2008 06:40 AM
Hmm. Ok I have the following.
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
Here is the ACL that corresponds to the NAT line:
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.1.2.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.1.3.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.1.5.0 255.255.255.0 10.1.5.0 255.255.255.0
09-25-2008 06:44 AM
OK - you have supplied the no NAT? What is the IP range of the DMZ?
09-25-2008 06:38 AM
u can make one two one nating between the two interfaces because the nat control require nating between interface
or ucan make nat exmption between both interfaces
for example
static (inside, DMZ) 10.10.1.4.0 192.168.1.0 netmask 255.255.255.0
asumenig the inside network is 192.168.1.0/24
the access-list 100 permit ip 10.10.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group 100 ininterface DMZ
or
make it like
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.4.0 255.255.255.0
access-list 101 permit ip 10.10.4.0 255.255.255.0 192.168.1.0 255.255.255.0
then make nat exmption
nat (inside) 0 access-list 100
nat (dmz) 0 access-list 101
access-group 101 in interface DMZ
good luck
if helpful Rate
09-25-2008 06:48 AM
my DMZ IP is 10.1.4.0/24
access-list dmz_access_in permit tcp 10.1.4.0 255.255.255.0 host 10.1.4.21
access-list dmz_access_in permit udp 10.1.4.0 255.255.255.0 host 10.1.4.21 eq domain
access-list dmz_access_in permit tcp 10.1.4.0 255.255.255.0 host 10.1.4.25
access-list dmz_access_in permit udp 10.1.4.0 255.255.255.0 host 10.1.4.25 eq domain
access-list dmz_access_in permit ip 10.1.4.0 255.255.255.0 any
access-list dmz_access_in permit tcp any host 10.1.4.24
access-list dmz_access_in permit udp any host 10.1.4.24
access-list dmz_access_in permit icmp any host 10.1.4.24
access-list dmz_access_in permit ip 10.1.4.0 255.255.255.0 host 10.1.4.32
access-list dmz_access_in permit tcp any host 10.1.4.26 object-group Notes
access-list dmz_access_in permit tcp host win_webserver host 10.1.4.26 eq smtp
09-25-2008 07:04 AM
Ok I was doing some thinking and think that I should and could use PAT to access the DMZ. So all traffic from 10.1.x.x going to DMZ on 10.1.4.x would appear to come from and example 10.1.4.254. That would let me know when I see the address its coming from my inside network.
09-25-2008 08:39 AM
It's up to you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide