cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
905
Views
5
Helpful
10
Replies

Need Basic NAT Config example.

John.OuYang
Level 1
Level 1

I need a working sample config based on these simple details:

Outside 172.16.1.2 255.255.255.0 level 0

Inside 192.168.0.3 255.255.255.0 level 100

DMZ 192.168.154.1 255.255.255.0 level 50

Web1 172.16.1.7 need to map to DMZ 192.168.154.7 smtp, https

Web2 172.16.1.24 need to map to inside 192.168.0.4 DNS https

1. I would like the inside network to be able to reach any server in the DMZ any service. Also be able to reach the web pages.

2. I would like the DMZ to pass only limted information like port http but I can build from any rule that works.

3.I would like to be able to browse the internet from the DMZ and inside.

I will rate high on any working configurations. I will rate each unique example using varied Nat types.

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

John

static (dmz,outside) tcp 172.16.1.7 25 192.168.154.7 25 netmask 255.255.255.255

static (dmz,outside) tcp 172.16.1.7 443 192.168.154.7 443 netmask 255.255.255.255

static (inside,outside) udp 172.16.1.24 53 192.168.0.4 53 netmask 255.255.255.255

static (inside,outside) tcp 172.16.1.24 443 192.168.0.4 443 netmask 255.255.255.255

1) static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

You don't need an acl because it is going from inside to DMZ

2) access-list DMZ_in permit tcp 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80

This would allow all hosts on DMZ to talk to any host on inside on port 80. As you say you can narrow it down.

3) nat (inside) 1 192.168.0.0 255.255.255.0

nat (dmz) 1 192.168.154.0 255.255.255.0

global (outside) 1 interface

Again you don't need acl because you are going from higher to lower security level interfaces.

Jon

View solution in original post

You have an acl:

access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0

But you're not allowing traffic back in:

permit ip 192.168.0.0 255.255.255.0 any

If the above acl doesn't work, try to do "permit ip any any" to see if you can get ANY traffic at all.

HTH

--John

HTH, John *** Please rate all useful posts ***

View solution in original post

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

John

static (dmz,outside) tcp 172.16.1.7 25 192.168.154.7 25 netmask 255.255.255.255

static (dmz,outside) tcp 172.16.1.7 443 192.168.154.7 443 netmask 255.255.255.255

static (inside,outside) udp 172.16.1.24 53 192.168.0.4 53 netmask 255.255.255.255

static (inside,outside) tcp 172.16.1.24 443 192.168.0.4 443 netmask 255.255.255.255

1) static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

You don't need an acl because it is going from inside to DMZ

2) access-list DMZ_in permit tcp 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80

This would allow all hosts on DMZ to talk to any host on inside on port 80. As you say you can narrow it down.

3) nat (inside) 1 192.168.0.0 255.255.255.0

nat (dmz) 1 192.168.154.0 255.255.255.0

global (outside) 1 interface

Again you don't need acl because you are going from higher to lower security level interfaces.

Jon

This doesn't appear to be working. Can you create a show running-config that I can build from?

John

Could you be a bit more specific - which bits work and which don't. If none of it works then can you check basics such as both interfaces are up etc.

Jon

I am unable to pass any traffic to the DMZ from the inside. I can't pass any traffic from the DMZ to the inside...on specific ports and open to any. All interfaces are up.

I cl xlate

I wonder if the default from a higher security to a lower security rules are working.

All I can do is browse the internet.

I guess I could try another asa 5510.

I do appreciate the help.

Hello John,

Please post your running config and let us advise on config

Regards

Here is a copy of the running config on the asa5510. I built it based on the information Jon provided. No traffic is passing. I expected to be able to RDP or reach the c drive of server in the dmz from an inside PC.

John

I've started over several times. I seem to be getting back to the same place...

Can browse internet from DMZ or Inside PC's

I just can't seem to pass any traffic between them.

I even put all interfaces in one pool to allow access to allow dynamic translation to the dmz and outside...translation from the dmz to inside and outside interface pools.

What am I missing?

You have an acl:

access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0

But you're not allowing traffic back in:

permit ip 192.168.0.0 255.255.255.0 any

If the above acl doesn't work, try to do "permit ip any any" to see if you can get ANY traffic at all.

HTH

--John

HTH, John *** Please rate all useful posts ***

Exactly what I was missing.

It shows this rule in the ASDM Rules but this ACL is clearly missing from the ACL Manager.

Kind of odd. I thought that ACE's and that defined access rules were the same thing for Dmz incoming rules. So it must be a wired error for one to exist without the other.

John

Thank you for letting me know, and the rating! :-)

--John

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: