Firewall translations

Unanswered Question

Hello,

I have done this exercise long time ago but I can't recollect how this was done and I was wondering if somebody could shed some ideas.


I have a machine in LAN with 10.10.x.xxx address scheme. I like to translate this address to another private address in 192.168.x.xxx subnet and map a public address to this NAT'd address. So it will look like:


Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx.


Machine is physically placed in 10.10.x.xxx subnet and I like the firewall to route requests coming from cloud >  public address > 192.168.x.xxx >10.10.x.xxx without physically placing the server in 192.168.x.xxx subnet.


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 12/01/2009 - 06:53
User Badges:
  • Purple, 4500 points or more

It would be cleaner to translate the public to the 10 address, but I'll assume there is a reason that can't be done.


Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx

static (inside,outside) [public ip] 192.168.x.xxx netmask 255.255.255.255


On the next hop (in red)-

Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx

static (inside,outside) [192.168.x.xxx] 10.10.x.xxx netmask 255.255.255.255


Hiope that helps.

Hello,


I have a machine located in LAN with Class C private address. I have a perimeter network with its own address scheme.


I like to have the machine in LAN do a static mapping with the DMZ address, and then do a static mapping of DMZ address to the public address. I don't want to expose the machine identification by translating the internal address to public address. I want packets going out from DMZ address to Internet.


for example:


LAN > DMZ

DMZ > Public address

Public address > Internet


There won't be a physical machine located in DMZ. I like to have ASA perform all the translations and routing. If required, I can plug in an entry for DNS.


How could I acheive this?


Thanks in advance

Florin Barhala Wed, 05/18/2011 - 08:56
User Badges:
  • Bronze, 100 points or more

static (Dmz, Lan) Lan_IP Dmz_IP netmask 255.255.255.255

static (Lan, Internet) tcp interface external_ port Lan_IP internal_port netmask 255.255.255.255


I assumed you can do a 1:1 NAT between LAN and DMZ as you afford wasting 2 private IP addresses, but for Lan to Internet you do just portforward for some ports.


Don't forget the firewall !!!


access-group Internet_in in interface Internet

access-group Dmz_in in interface DMZ


And the security level


interface Ethernet0/0
nameif Internet
security-level 0
ip address Internet_IP 255.255.255.192
!
interface Ethernet0/1
nameif Lan
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
nameif Dmz

security-level 50

ip address 10.0.0.1 255.255.255.0

Actions

This Discussion