04-06-2009 12:37 PM - edited 03-11-2019 08:15 AM
I have some questions about "nat" "global" config and static mapping.
If I have the following:
interface 0/0
nameif inside
security level 100
interface 0/1
nameif DMZ1
security level 25
interface 0/2
nameif DMZ2
security level 50
interface 0/3
nameif DMZ3
security level 75
global (DMZ3) 1 interface
global (DMZ2) 1 interface
global (DMZ1) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ2,DMZ1) 192.168.2.1 192.168.2.1 netmask 255.255.255.255
static (DMZ3,DMZ1) 192.168.3.1 192.168.3.1 netmask 255.255.255.255
static (inside,DMZ1) 10.1.1.10 10.1.1.10 netmask 255.255.255.255
static (inside,DMZ2) 10.1.1.10 10.1.1.10 netmask 255.255.255.255
static (inside,DMZ3) 10.1.1.10 10.1.1.10 netmask 255.255.255.255
Is the traffic flow for the "nat" "global" statement stricktly for inside out?
For example I am telling the ASA to allow any host on the inside interface to communicate with anything on the three different DMS interfaces, and to use the ip address of the interface to do this communication.
Correct?
If so, is this one-way, for traffic originating from the inside interface to the other interfaces?
Or, are the static mappings I have here doing the same thing, but take priority over the "nat" "global" statements?
Which would mean that host 10.1.1.10 can communicate with any of the other three DMZ interfaces and will be seen as 10.1.1.10 and with this mapping alone, communication would be both ways (with an access-list from lower security to higher security interface).
04-06-2009 01:52 PM
"Is the traffic flow for the "nat" "global" statement stricktly for inside out?"
Not necessarily. You can have statics that reference the interface which would turn it into bidirectional nat.
global (outside) 1 interface
nat (inside) 1 0 0
static (dmz1,outside) tcp interface 80 192.168.1.50 80 netmask 255.255.255.255
In your config, you would be allowing anyone behind the inside interface to go out as the corresponding DMZs address.
Your statics create bidirectional nat. The statics above for example:
static (dmz2,dmz1) 192.168.2.1 192.168.2.1 netmask 255.255.255.255
tells the ASA for DMZ2 (assuming 192.168.2.x belongs to dmz2) to present itself with no nat. If DMZ1 has traffic that needs to be sent to DMZ2, it will appear to DMZ2 as 192.168.2.1.
"Which would mean that host 10.1.1.10 can communicate with any of the other three DMZ interfaces and will be seen as 10.1.1.10 and with this mapping alone, communication would be both ways (with an access-list from lower security to higher security interface)."
Absolutely.
HTH,
John
04-06-2009 04:03 PM
In your example:
global (outside) 1 interface
nat (inside) 1 0 0
static (dmz1,outside) tcp interface 80 192.168.1.50 80 netmask 255.255.255.255
Doesn't this show the nat/global as outbound only?
I guess in my example:
global (DMZ2) 1 interface
global (DMZ1) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,DMZ1) 10.1.1.10 10.1.1.10 netmask 255.255.255.255
static (inside,DMZ2) 10.1.1.10 10.1.1.10 netmask 255.255.255.255
static (inside,DMZ3) 10.1.1.10 10.1.1.10 netmask 255.255.255.255
I am asking if the nat/global is doing the same thing as the static, but the static has priority over the nat/global?
If the user is anything other than 10.1.1.10, the traffic will be nated to the interface ip address, if it is 10.1.1.10, it does not get nated, is this correct?
Also, the nat/global is on way and the static is bidirectional.
Is this correct?
04-06-2009 05:19 PM
From my understanding
global (DMZ2) 1 interface
global (DMZ1) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Basically means that any source traffic on the inside via the nat (inside) 1 0.0.0.0 0.0.0.0
will get Pat(d) to either the DMZ1 or DMZ2 So if a user at 10.1.1.x wants access to DMZ1 then the ASA device will take that internal ip 10.1.1.x and present the src as yhe interface of DMZ1, and the same for DMZ2: This is an example of Dyn PAT which takes the inside src address and xlates to the DMZ1 interface Dyn PAT occurs last in the NAT order of operations. Next you have 3 statics
static (inside,DMZ1) 10.1.1.10 10.1.1.10 netmask 255.255.255.255
static (inside,DMZ2) 10.1.1.10 10.1.1.10 netmask 255.255.255.255
static (inside,DMZ3) 10.1.1.10 10.1.1.10 netmask 255.255.255.255
This instructs the router to run static Nat 3rd in Nat order operations. Is that correct
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide