NAT - Inside to DMZ via Public IP

Unanswered Question
Jan 28th, 2009
User Badges:

Hi all,

Another DMZ question I'm afraid. I'm trying to achieve the following and any assistance would be great.


I want my Inside to PAT'd to the Outside and DMZ, I also need my Inside to able to access the DMZ via external (212*.*.0) as well as the internal (10.0.0.0) addresses. I can get the Inside connected to the DMZ / Outside via PAT and the static map works for Outside connections. When I add the line (bellow), it not only fails to work but it stops the Inside accessing the DMZ on 10.0.0.2 (via PAT).


“static (DMZ,Inside) 212.*.*.2 10.0.0.2 netmask” 255.255.255.255”


The ACL's on all interfaces are set Permit IP any to any.



ASA 5510 (8.0)

Inside 192.168.1.0/24

DMZ 10.0.0.0/16

Outside 212.*.*.*/26


global (Outside) 101 interface

global (DMZ) 1 interface

nat (Inside) 1 access-list Inside_nat_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) 212.*.*.2 10.0.0.2 netmask 255.255.255.255

static (DMZ,Inside) 212.*.*.2 10.0.0.2 netmask 255.255.255.255


Many thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
victor_87 Wed, 01/28/2009 - 08:48
User Badges:

In the first command you say the outside interface is assouciated with the 212.***** ip address, in the next command you say that it is associated to the inside interface, A single subnet cannot be associated to two differnet interfaces, Thats my logic


Anyone else could explain better ??

spetersmmc Wed, 01/28/2009 - 09:06
User Badges:

Hi Victor,

Thanks for your response. My understanding from the documentation was that traffic can't traverse between interfaces without a NAT. So every interface (Outside and Inside) which needs to have visibility of the address (212.*.*.2) needs a static NAT connecting them to the source IP. I think your correct in that you couldn't associate a subnet with more than one interface but these static NAT's have a host mask. I believe this is a form of hair pinning.


Regards.


victor_87 Wed, 01/28/2009 - 18:03
User Badges:

You must have misinterpreted the documenttion u read, NAT is not mandatory for traffic to traverse interfaces.


Traffic can traverse interfaces using mere routing on a PIX or ASA. You only require appropriate access-lists allowing traffic into the higher security interfaces.

victor_87 Wed, 01/28/2009 - 20:49
User Badges:

Sorry, i was driving to work and suddenly i realised that i screwed up the last reply completely, u indeed read the documentation right and NAT is mandatory to traverse interface


but instead of using a different Ip to NAT


you can use something like


static (inside, DMZ)10.0.0.2 10.0.0.2 netmask 255.255.255.255


this will do the job without changing anything.



Sorry Again for wrong replies

spetersmmc Thu, 01/29/2009 - 02:19
User Badges:

Hi Victor,

No problem, any feed back is very much appreciated.


From what I can see, the line bellow…

.

static (inside, DMZ)10.0.0.2 10.0.0.2 netmask 255.255.255.255


…would present the Inside address of 10.0.0.2 to the DMZ as 10.0.0.2. I would have transposed the interfaces but I guess static NAT's are bi-directional so it doesn't make any difference. I would have thought that the NAT to DMZ PAT would have taken care of this though.


global (DMZ) 1 interface

nat (Inside) 1 access-list Inside_nat_outbound


Should I remove my PAT and replace it with your suggested static NAT?


Cheers.


victor_87 Thu, 01/29/2009 - 22:00
User Badges:

your config is good enough, it must work without any issues.

Actions

This Discussion