01-28-2009 02:52 AM - edited 03-11-2019 07:43 AM
Hi all,
Another DMZ question I'm afraid. I'm trying to achieve the following and any assistance would be great.
I want my Inside to PAT'd to the Outside and DMZ, I also need my Inside to able to access the DMZ via external (212*.*.0) as well as the internal (10.0.0.0) addresses. I can get the Inside connected to the DMZ / Outside via PAT and the static map works for Outside connections. When I add the line (bellow), it not only fails to work but it stops the Inside accessing the DMZ on 10.0.0.2 (via PAT).
âstatic (DMZ,Inside) 212.*.*.2 10.0.0.2 netmaskâ 255.255.255.255â
The ACL's on all interfaces are set Permit IP any to any.
ASA 5510 (8.0)
Inside 192.168.1.0/24
DMZ 10.0.0.0/16
Outside 212.*.*.*/26
global (Outside) 101 interface
global (DMZ) 1 interface
nat (Inside) 1 access-list Inside_nat_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) 212.*.*.2 10.0.0.2 netmask 255.255.255.255
static (DMZ,Inside) 212.*.*.2 10.0.0.2 netmask 255.255.255.255
Many thanks.
01-28-2009 08:48 AM
In the first command you say the outside interface is assouciated with the 212.***** ip address, in the next command you say that it is associated to the inside interface, A single subnet cannot be associated to two differnet interfaces, Thats my logic
Anyone else could explain better ??
01-28-2009 09:06 AM
Hi Victor,
Thanks for your response. My understanding from the documentation was that traffic can't traverse between interfaces without a NAT. So every interface (Outside and Inside) which needs to have visibility of the address (212.*.*.2) needs a static NAT connecting them to the source IP. I think your correct in that you couldn't associate a subnet with more than one interface but these static NAT's have a host mask. I believe this is a form of hair pinning.
Regards.
01-28-2009 06:03 PM
You must have misinterpreted the documenttion u read, NAT is not mandatory for traffic to traverse interfaces.
Traffic can traverse interfaces using mere routing on a PIX or ASA. You only require appropriate access-lists allowing traffic into the higher security interfaces.
01-28-2009 08:49 PM
Sorry, i was driving to work and suddenly i realised that i screwed up the last reply completely, u indeed read the documentation right and NAT is mandatory to traverse interface
but instead of using a different Ip to NAT
you can use something like
static (inside, DMZ)10.0.0.2 10.0.0.2 netmask 255.255.255.255
this will do the job without changing anything.
Sorry Again for wrong replies
01-29-2009 02:19 AM
Hi Victor,
No problem, any feed back is very much appreciated.
From what I can see, the line bellowâ¦
.
static (inside, DMZ)10.0.0.2 10.0.0.2 netmask 255.255.255.255
â¦would present the Inside address of 10.0.0.2 to the DMZ as 10.0.0.2. I would have transposed the interfaces but I guess static NAT's are bi-directional so it doesn't make any difference. I would have thought that the NAT to DMZ PAT would have taken care of this though.
global (DMZ) 1 interface
nat (Inside) 1 access-list Inside_nat_outbound
Should I remove my PAT and replace it with your suggested static NAT?
Cheers.
01-29-2009 10:00 PM
your config is good enough, it must work without any issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide