NAT - Inside to DMZ via Public IP

spetersmmc · ‎01-28-2009

Hi all,

Another DMZ question I'm afraid. I'm trying to achieve the following and any assistance would be great.

I want my Inside to PAT'd to the Outside and DMZ, I also need my Inside to able to access the DMZ via external (212*.*.0) as well as the internal (10.0.0.0) addresses. I can get the Inside connected to the DMZ / Outside via PAT and the static map works for Outside connections. When I add the line (bellow), it not only fails to work but it stops the Inside accessing the DMZ on 10.0.0.2 (via PAT).

â€œstatic (DMZ,Inside) 212.*.*.2 10.0.0.2 netmaskâ€ 255.255.255.255â€

The ACL's on all interfaces are set Permit IP any to any.

ASA 5510 (8.0)

Inside 192.168.1.0/24

DMZ 10.0.0.0/16

Outside 212.*.*.*/26

global (Outside) 101 interface

global (DMZ) 1 interface

nat (Inside) 1 access-list Inside_nat_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) 212.*.*.2 10.0.0.2 netmask 255.255.255.255

static (DMZ,Inside) 212.*.*.2 10.0.0.2 netmask 255.255.255.255

Many thanks.

victor_87 · ‎01-28-2009

In the first command you say the outside interface is assouciated with the 212.***** ip address, in the next command you say that it is associated to the inside interface, A single subnet cannot be associated to two differnet interfaces, Thats my logic

Anyone else could explain better ??

spetersmmc · ‎01-28-2009

Hi Victor,

Thanks for your response. My understanding from the documentation was that traffic can't traverse between interfaces without a NAT. So every interface (Outside and Inside) which needs to have visibility of the address (212.*.*.2) needs a static NAT connecting them to the source IP. I think your correct in that you couldn't associate a subnet with more than one interface but these static NAT's have a host mask. I believe this is a form of hair pinning.

Regards.

victor_87 · ‎01-28-2009

You must have misinterpreted the documenttion u read, NAT is not mandatory for traffic to traverse interfaces.

Traffic can traverse interfaces using mere routing on a PIX or ASA. You only require appropriate access-lists allowing traffic into the higher security interfaces.

victor_87 · ‎01-28-2009

Sorry, i was driving to work and suddenly i realised that i screwed up the last reply completely, u indeed read the documentation right and NAT is mandatory to traverse interface

but instead of using a different Ip to NAT

you can use something like

static (inside, DMZ)10.0.0.2 10.0.0.2 netmask 255.255.255.255

this will do the job without changing anything.

Sorry Again for wrong replies

spetersmmc · ‎01-29-2009

Hi Victor,

No problem, any feed back is very much appreciated.

From what I can see, the line bellowâ€¦

.

static (inside, DMZ)10.0.0.2 10.0.0.2 netmask 255.255.255.255

â€¦would present the Inside address of 10.0.0.2 to the DMZ as 10.0.0.2. I would have transposed the interfaces but I guess static NAT's are bi-directional so it doesn't make any difference. I would have thought that the NAT to DMZ PAT would have taken care of this though.

global (DMZ) 1 interface

nat (Inside) 1 access-list Inside_nat_outbound

Should I remove my PAT and replace it with your suggested static NAT?

Cheers.

victor_87 · ‎01-29-2009

your config is good enough, it must work without any issues.