Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
886
Views
10
Helpful
3
Replies

ASA "nat" "global" and static mapping question

wilson_1234_2
Level 3
Level 3

‎04-06-2009 12:37 PM - edited ‎03-11-2019 08:15 AM

I have some questions about "nat" "global" config and static mapping.

If I have the following:

interface 0/0

nameif inside

security level 100

interface 0/1

nameif DMZ1

security level 25

interface 0/2

nameif DMZ2

security level 50

interface 0/3

nameif DMZ3

security level 75

global (DMZ3) 1 interface

global (DMZ2) 1 interface

global (DMZ1) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (DMZ2,DMZ1) 192.168.2.1 192.168.2.1 netmask 255.255.255.255

static (DMZ3,DMZ1) 192.168.3.1 192.168.3.1 netmask 255.255.255.255

static (inside,DMZ1) 10.1.1.10 10.1.1.10 netmask 255.255.255.255

static (inside,DMZ2) 10.1.1.10 10.1.1.10 netmask 255.255.255.255

static (inside,DMZ3) 10.1.1.10 10.1.1.10 netmask 255.255.255.255

Is the traffic flow for the "nat" "global" statement stricktly for inside out?

For example I am telling the ASA to allow any host on the inside interface to communicate with anything on the three different DMS interfaces, and to use the ip address of the interface to do this communication.

Correct?

If so, is this one-way, for traffic originating from the inside interface to the other interfaces?

Or, are the static mappings I have here doing the same thing, but take priority over the "nat" "global" statements?

Which would mean that host 10.1.1.10 can communicate with any of the other three DMZ interfaces and will be seen as 10.1.1.10 and with this mapping alone, communication would be both ways (with an access-list from lower security to higher security interface).

Labels:
0 Helpful
3 Replies 3

John Blakley
VIP Alumni
VIP Alumni

‎04-06-2009 01:52 PM

"Is the traffic flow for the "nat" "global" statement stricktly for inside out?"

Not necessarily. You can have statics that reference the interface which would turn it into bidirectional nat.

global (outside) 1 interface

nat (inside) 1 0 0

static (dmz1,outside) tcp interface 80 192.168.1.50 80 netmask 255.255.255.255

In your config, you would be allowing anyone behind the inside interface to go out as the corresponding DMZs address.

Your statics create bidirectional nat. The statics above for example:

static (dmz2,dmz1) 192.168.2.1 192.168.2.1 netmask 255.255.255.255

tells the ASA for DMZ2 (assuming 192.168.2.x belongs to dmz2) to present itself with no nat. If DMZ1 has traffic that needs to be sent to DMZ2, it will appear to DMZ2 as 192.168.2.1.

"Which would mean that host 10.1.1.10 can communicate with any of the other three DMZ interfaces and will be seen as 10.1.1.10 and with this mapping alone, communication would be both ways (with an access-list from lower security to higher security interface)."

Absolutely.

HTH,

John

HTH, John *** Please rate all useful posts ***

wilson_1234_2
Level 3
Level 3
In response to John Blakley

‎04-06-2009 04:03 PM

In your example:

global (outside) 1 interface

nat (inside) 1 0 0

static (dmz1,outside) tcp interface 80 192.168.1.50 80 netmask 255.255.255.255

Doesn't this show the nat/global as outbound only?

I guess in my example:

global (DMZ2) 1 interface

global (DMZ1) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,DMZ1) 10.1.1.10 10.1.1.10 netmask 255.255.255.255

static (inside,DMZ2) 10.1.1.10 10.1.1.10 netmask 255.255.255.255

static (inside,DMZ3) 10.1.1.10 10.1.1.10 netmask 255.255.255.255

I am asking if the nat/global is doing the same thing as the static, but the static has priority over the nat/global?

If the user is anything other than 10.1.1.10, the traffic will be nated to the interface ip address, if it is 10.1.1.10, it does not get nated, is this correct?

Also, the nat/global is on way and the static is bidirectional.

Is this correct?

0 Helpful

sdoremus33
Level 3
Level 3
In response to wilson_1234_2

‎04-06-2009 05:19 PM

From my understanding

global (DMZ2) 1 interface

global (DMZ1) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Basically means that any source traffic on the inside via the nat (inside) 1 0.0.0.0 0.0.0.0

will get Pat(d) to either the DMZ1 or DMZ2 So if a user at 10.1.1.x wants access to DMZ1 then the ASA device will take that internal ip 10.1.1.x and present the src as yhe interface of DMZ1, and the same for DMZ2: This is an example of Dyn PAT which takes the inside src address and xlates to the DMZ1 interface Dyn PAT occurs last in the NAT order of operations. Next you have 3 statics

static (inside,DMZ1) 10.1.1.10 10.1.1.10 netmask 255.255.255.255

static (inside,DMZ2) 10.1.1.10 10.1.1.10 netmask 255.255.255.255

static (inside,DMZ3) 10.1.1.10 10.1.1.10 netmask 255.255.255.255

This instructs the router to run static Nat 3rd in Nat order operations. Is that correct

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card