cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
996
Views
1
Helpful
5
Replies

Question about NAT Exemption

d.rein
Level 1
Level 1

Hi,

I have following szenario:

I want to reach a outside host under its original address and its NAT address at it seems to the inside world.

(Host in the DMZ ist translated to the Inside Interface with a Static NAT rule).

It is possible to reach this host from Inside under the NAT and Original IP address?

Regards,

Dirk

5 Replies 5

cisco24x7
Level 6
Level 6

Please clarify your scenario so that I can

understand your requirements.

In general, NAT on Pix/ASA is not as flexible

as say Juniper or Checkpoint firewall.

----Inside--ASA---DMZ---Host

The host is translated to the inside Network an can be reached by the translated address.

I would like that hosts in the Inside Network should reach the Host in the DMZ under their original and also translated address.

At the moment it is working only with the translated address. I have already configured an exemption rule but it is not working. In the syslog file I see that I have no matching translation rule.

Can't be done an ASA appliance.

Get a checkpoint firewall and it can do the

trick for you.

And do you know why?

There's one book that shows the NAT order of operation as being first check NAT exemption, then static NAT.

Let us know.

vladrac-ccna
Level 5
Level 5

I did some research and yes its possible.

You need to define 2 static policy nat.

example:

real ip on DMZ 20.20.20.20

nat ip on inside 192.168.100.20

Make sure you configure the correct order:

static (DMZ,inside) 192.168.100.20 access-list acl_policy1

static (DMZ,inside) 20.20.20.20 access-list acl_policy2

access-list acl_policy1 extended permit ip host 20.20.20.20 any

access-list acl_policy2 extended permit ip host 20.20.20.20 any

Telnet from a client on the inside network to the DMZ server using both IPs natted and real.

client#192.168.100.20 80

Trying 192.168.100.20, 80 ... Open

get

HTTP/1.1 400 Bad Request

Date: Mon, 01 Mar 1993 03:41:13 GMT

Server: cisco-IOS

Accept-Ranges: none

400 Bad Request

[Connection to 192.168.100.20 closed by foreign host]

client#20.20.20.20 80

Trying 20.20.20.20, 80 ... Open

get

\HTTP/1.1 400 Bad Request

Date: Mon, 01 Mar 1993 03:41:21 GMT

Server: cisco-IOS

Accept-Ranges: none

400 Bad Request

[Connection to 20.20.20.20 closed by foreign host]

client#

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: