VPN to use static (dmz,inside)

Answered Question
Apr 15th, 2010

I have a server in my DMZ with address 192.168.0.1 and I need it to be visible to my LAN as 172.16.0.1, so I have created this static NAT statement:

static (dmz,inside) 172.16.0.1 192.168.0.1 netmask 255.255.255.255

This works correctly and I can get to the DMZ server using the 'LAN address' of 172.16.0.1

I have several VPNs and I need them to also connect to the DMZ server using the 'LAN address' of 172.16.0.1 rather than the real DMZ address, is this possible and if so how?

I have a Cisco ASA 5520 ver 7.2(4)

can somebody help me please ??

Ian

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 7 months ago

If the remote VPN access has a different network, you should add that new network under the NAT0 statement and under the split-tunneling ACL (in case you have one defined).

Could you post the relevant part of your configuration to help you out with the remote VPN access?

Federico.

Correct Answer by Federico Coto F... about 6 years 7 months ago

Ok, you got it working then?

Please let me know.

Thank you.

Federico.

Correct Answer by Federico Coto F... about 6 years 8 months ago

Hi,

If you create the appropiate NAT statement, you should be able to do it.

For example:

static (dmz,out) 172.16.0.1 192.168.0.1

Make sure that there is no a NAT 0 access-list statement for 192.168.0.1 or for 172.16.0.1

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Federico Coto F... Thu, 04/15/2010 - 11:23

Hi,

If you create the appropiate NAT statement, you should be able to do it.

For example:

static (dmz,out) 172.16.0.1 192.168.0.1

Make sure that there is no a NAT 0 access-list statement for 192.168.0.1 or for 172.16.0.1

Federico.

i.harvey Thu, 04/22/2010 - 02:45

Hi Federico, sorry for the delay in responding, I have had a crazy amount of work to do recently.

It was the NAT 0 bit that stopped it working for me; I did wonder if it was affecting it, but I use the same 'no nat' statements on the "nat (inside) 0 acl" as for the  "nat (dmz) 0 acl", and it works for the inside to dmz traffic correctly (?)

If I keep the NAT 0 for the classful subnets, is it possible to have a DENY statement in the ACL? Hopefully this would allow the permitted traffic to pass between my LAN and DMZ using their real addresses (e.g. if I had servers with IPs 192.168.0.2, 192.168.100.3, etc), but for the server with the real address of 192.168.0.1, I will need to use the NATed address of 172.16.0.1

e.g.

access-list TEST extended deny ip host 192.168.0.1 host 172.16.0.1

access-list TEST extended deny ip  host 172.16.0.1 host 192.168.0.1

access-list TEST extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list TEST extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list TEST

nat (dmz) 0 access-list TEST

static (dmz,inside) 172.16.0.1 192.168.0.1 netmask 255.255.255.255

static (dmz,outside) 172.16.0.1 192.168.0.1 netmask 255.255.255.255

Many thanks for your help

Ian

i.harvey Thu, 04/22/2010 - 07:10

Hi - I have found a problem with this setup as my server in the DMZ is a web proxy server.

I can now connect to it using its NATed address of 172.16.0.1, but because of the static (dmz,outside) 172.16.0.1 192.168.0 1, the server cannot get to the internet. Instead of using the global outside address of the firewall it is using 172.16.0.1 and getting dumped.

i.harvey Thu, 04/22/2010 - 08:33

...fixed it (I think) using policy static natting:

e.g.

access-list TEST ext perm ip host 192.168.0.1 172.16.0.0 255.255.0.0

static (dmz,outside) 172.16.0.1 access-list TEST

i.harvey Mon, 04/26/2010 - 04:59

Hi Federico, I have it working for my Lan-to-Lan VPNs now, but not my remote access VPNs - the difference being that L2L VPNs have a subnet in the 172.16.0.0 range, but remote access VPNs have a subnet in the 192.168.0.0 by default; I have one remote access VPN in the172.16.0.0 range and it is working correctly. I have tried adding:

access-list TEST ext perm ip host 192.168.0.1 192.168.0.0 255.255.0.0

but this has not fixed it, so I am stumped at the moment.

Correct Answer
Federico Coto F... Mon, 04/26/2010 - 12:56

If the remote VPN access has a different network, you should add that new network under the NAT0 statement and under the split-tunneling ACL (in case you have one defined).

Could you post the relevant part of your configuration to help you out with the remote VPN access?

Federico.

i.harvey Thu, 04/29/2010 - 03:37

Hi Federico, I had an all encompassing  NAT0 statement that was stopping it from working (192.168.0.0 /16 to 192.168.0.0 /16) - once I removed this it fixed the problem - so I am able to use my static (dmz,inside) policy NAT from my inside LAN, my LAN-2-LAN VPNs and my Remote Access VPNs.

Thank you very much for all your help.

Now that everything is 'working' I have a new problem in that because this is meant for a web-proxy server, this configuration now stops the true source IP from getting to the server, thereby breaking the logging of web requests for audit purposes. The server 'sees' the firewall interface IP for all web requests - I shall start a new thread for this.

p.s. it will be a nightmare trying to extract the relevant rules to post :-(

Actions

This Discussion