cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
759
Views
0
Helpful
4
Replies

Question regarding static NAT on ASA/PIX

d-fillmore
Level 2
Level 2

Hi - When configuring static NAT, the configuration guide states that you use the format 'static (inside,dmz)' where your connections are going to be initiated from the inside to the DMZ.

Access-lists permitting, will this allow connections to be initiated from the DMZ interface to inside?

What I'm trying to work out is does it make any difference if I use 'static (inside,dmz) or 'static (dmz,inside)'?

I have a requirement for traffic to be initiated in either direction between the inside and the DMZ, can I do this with one static NAT translation or do I need 2 - one for each direction.

Many Thanks in advance

Dom

4 Replies 4

andrew.prince
Level 10
Level 10

Dom,

If you have an (inside,dmz) and the traffic happens to initiate from dmz to inside - the PIX/ASA should know what to do for reverse NAT, as long as your ACL allows it of course!

HTH>

Jon Marshall
Hall of Fame
Hall of Fame

Dom

In addition to Andrew's post.

Static NAT is bi-directional so source IP and destination IP are relative to the inside and dmz interfaces of the firewall.

So

static (inside,dmz) 192.168.2.40 10.10.10.40 netmask 255.255.255.255

means

1) traffic from a source IP on the inside of 10.10.10.40 will be natted to 192.168.2.40 as it leaves the dmz interface of the firewall

2) traffic from the dmz with a destination IP address of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the inside interfade of the firewall

static (dmz,inside) 192.168.2.40 10.10.10.40 netmask 255.255.255.255

means

1) traffic from the inside with a destination IP of 192.168.2.40 will be natted to 10.10.10.40 as it leaves the dmz interface of the firewall

2) traffic from the dmz with a source IP address of 10.10.10.40 will translated to 192.168.2.40 as it leaves the inside interface of the firewall.

Jon

Hi Jon,Andrew,

Thanks for your replies

I understand the syntax and what they mean, I'm trying to work out if it matters if you use ;

static (inside,dmz) 192.168.2.40 10.10.10.40 netmask 255.255.255.255

or

static (dmz,inside) 10.10.10.40 192.168.2.40 netmask 255.255.255.255

Do you always base it on where the traffic is going to be originated from? eg if I use

static (dmz,inside) 10.10.10.40 192.168.2.40 netmask 255.255.255.255

Will that also allow connection to be established from inside to DMZ as well as from DMZ to inside?

If I have a situation whereby traffic is going to be initiated in both directions, do I need two translations?

Cheers, Dom

Dom

I understand the syntax and what they mean, I'm trying to work out if it matters if you use ;

static (inside,dmz) 192.168.2.40 10.10.10.40 netmask 255.255.255.255

or

static (dmz,inside) 10.10.10.40 192.168.2.40 netmask 255.255.255.255

With the greatest respect i'm not sure you do understand the syntax because the 2 statements do not do the same thing ie.

1) static (inside,dmz) 192.168.2.40 10.10.10.40 netmask 255.255.255.255

means present an inside address of 10.10.10.40 as 192.168.2.40 to the DMZ.

so traffic from inside source address of 10.10.10.40 to the DMZ will be translated to source address of 192.168.2.40 when it arrives on the DMZ

AND

traffic sent to the destination address of 192.168.2.40 from the DMZ will be translated to 10.10.10.40 when it arrives on the inside.

2) static (dmz,inside) 10.10.10.40 192.168.2.40 netmask 255.255.255.255

means present the DMZ destination address of 192.168.2.40 as 10.10.10.40 to the inside

so traffic from any inside source address with a destination address of 10.10.10.40 will have the destination address changed to 192.168.2.40 as it arrives on the DMZ. But note this is the destination address not the source address

AND

traffic from a source IP address of 192.168.2.40 on the DMZ will have the source IP address changed to 10.10.10.40 when it arrives on the inside. Again note this is the source not the destination address.

"If I have a situation whereby traffic is going to be initiated in both directions, do I need two translations?"

No because as already stated static NAT is bi-directional which means traffic can be initiated from either direction and the one static NAT statement will take care of it.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: