Questions Regarding NAT on PIX/ASA

Answered Question
Apr 12th, 2010

Hello Everyone,


I've done a bit of reading on the topic of NAT on the PIX/ASA but still have a few questions that I'm looking for clarification on.


Based on the diagram attached, I'm thinking there are 3 ways to get this working with NAT. There is no need on the PIX/ASA in the diagram to allow the users to access the Internet. The Internet here is used only as a method to establish a LAN-to-LAN IPSec tunnel.



Method 1: no nat-control command. This should exempt ALL traffic from NAT, right?


----------------------------

Method 2: Static command


static (Inside,DMZ) 10.132.1.0 10.132.1.0 netmask 255.255.255.0 0 0
static (Inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.240.0 0 0
static (Inside,DMZ) 10.2.2.0 10.2.2.0 netmask 255.255.240.0 0 0
static (Inside,DMZ) 10.3.3.0 10.3.3.0 netmask 255.255.240.0 0 0


static (DMZ,Inside) 10.132.65.0 10.132.65.0 netmask 255.255.255.0 0 0
static (DMZ,Inside) 10.132.65.0 10.132.65.0 netmask 255.255.255.0 0 0


static (Outside,DMZ) 10.16.1.0 10.16.1.0 255.255.255.0


-------------------------

Method 3: NAT/Global command


nat (Inside) 0 10.132.1.0 255.255.255.0
nat (Inside) 0 10.1.1.0 255.255.255.0
nat (Inside) 0 10.2.2.0 255.255.255.0
nat (Inside) 0 10.3.3.0 255.255.255.0


nat (DMZ) 0 10.132.65.0 255.255.255.0


nat (Outside) 0 10.16.1.0 255.255.255.0


or possibly this could work as well?


nat (Inside) 0 0.0.0.0 0.0.0.0

nat (DMZ) 0 0.0.0.0 0.0.0.0

nat (Outside) 0 0.0.0.0 0.0.0.0



- Do I also need "global" statements like these in order for the "nat" commands to work properly or is that just needed if I was sending traffic to the Internet so the clients could browse websites?

global (Outside) 0 interface
global (DMZ) 0 interface
global (Inside) 0 interface


- For traffic going from an interface with higher security level to a lower one, traffic should be allowed I believe.


- If going from a lower security level to a higher one, I know I need an ACL to permit the traffic.


- Do I also need a static NAT translation?


- Would the "nat (DMZ) 0 10.132.65.0 255.255.255.0" command work to exempt NAT on traffic from the lower security level interface to a higher one or would only the static NAT translation be looked at for this?


- If both "static" and "nat" commands, are the "static" commands looked at first before the "nat" commands?




Thanks for the help!


-Pete

Attachment: 
Correct Answer by Federico Coto F... about 6 years 10 months ago

Hi,


For traffic to flow from lower-security to higher-security interface you need:

STATIC NAT and ACL

If you have NAT-CONTROL disabled, you only need ACL


For traffic to flow from higher-security to lower-security interface you need:

NAT

If you have NAT-CONTROL disabled, you don't need any other commands.

If there's an existing ACL, it should allow the traffic.


NAT order of operation:


1. NAT 0 access-list

2. STATIC NAT/PAT

3. Policy NAT

4. Dynamic NAT/PAT


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Mon, 04/12/2010 - 08:27

Hi,


For traffic to flow from lower-security to higher-security interface you need:

STATIC NAT and ACL

If you have NAT-CONTROL disabled, you only need ACL


For traffic to flow from higher-security to lower-security interface you need:

NAT

If you have NAT-CONTROL disabled, you don't need any other commands.

If there's an existing ACL, it should allow the traffic.


NAT order of operation:


1. NAT 0 access-list

2. STATIC NAT/PAT

3. Policy NAT

4. Dynamic NAT/PAT


Federico.

Actions

This Discussion

Related Content