04-15-2010 07:42 AM - edited 03-11-2019 10:33 AM
I have a server in my DMZ with address 192.168.0.1 and I need it to be visible to my LAN as 172.16.0.1, so I have created this static NAT statement:
static (dmz,inside) 172.16.0.1 192.168.0.1 netmask 255.255.255.255
This works correctly and I can get to the DMZ server using the 'LAN address' of 172.16.0.1
I have several VPNs and I need them to also connect to the DMZ server using the 'LAN address' of 172.16.0.1 rather than the real DMZ address, is this possible and if so how?
I have a Cisco ASA 5520 ver 7.2(4)
can somebody help me please ??
Ian
Solved! Go to Solution.
04-15-2010 11:23 AM
Hi,
If you create the appropiate NAT statement, you should be able to do it.
For example:
static (dmz,out) 172.16.0.1 192.168.0.1
Make sure that there is no a NAT 0 access-list statement for 192.168.0.1 or for 172.16.0.1
Federico.
04-22-2010 10:42 AM
04-26-2010 12:56 PM
If the remote VPN access has a different network, you should add that new network under the NAT0 statement and under the split-tunneling ACL (in case you have one defined).
Could you post the relevant part of your configuration to help you out with the remote VPN access?
Federico.
04-15-2010 11:23 AM
Hi,
If you create the appropiate NAT statement, you should be able to do it.
For example:
static (dmz,out) 172.16.0.1 192.168.0.1
Make sure that there is no a NAT 0 access-list statement for 192.168.0.1 or for 172.16.0.1
Federico.
04-22-2010 02:45 AM
Hi Federico, sorry for the delay in responding, I have had a crazy amount of work to do recently.
It was the NAT 0 bit that stopped it working for me; I did wonder if it was affecting it, but I use the same 'no nat' statements on the "nat (inside) 0 acl" as for the "nat (dmz) 0 acl", and it works for the inside to dmz traffic correctly (?)
If I keep the NAT 0 for the classful subnets, is it possible to have a DENY statement in the ACL? Hopefully this would allow the permitted traffic to pass between my LAN and DMZ using their real addresses (e.g. if I had servers with IPs 192.168.0.2, 192.168.100.3, etc), but for the server with the real address of 192.168.0.1, I will need to use the NATed address of 172.16.0.1
e.g.
access-list TEST extended deny ip host 192.168.0.1 host 172.16.0.1
access-list TEST extended deny ip host 172.16.0.1 host 192.168.0.1
access-list TEST extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list TEST extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list TEST
nat (dmz) 0 access-list TEST
static (dmz,inside) 172.16.0.1 192.168.0.1 netmask 255.255.255.255
static (dmz,outside) 172.16.0.1 192.168.0.1 netmask 255.255.255.255
Many thanks for your help
Ian
04-22-2010 07:10 AM
Hi - I have found a problem with this setup as my server in the DMZ is a web proxy server.
I can now connect to it using its NATed address of 172.16.0.1, but because of the static (dmz,outside) 172.16.0.1 192.168.0 1, the server cannot get to the internet. Instead of using the global outside address of the firewall it is using 172.16.0.1 and getting dumped.
04-22-2010 08:33 AM
...fixed it (I think) using policy static natting:
e.g.
access-list TEST ext perm ip host 192.168.0.1 172.16.0.0 255.255.0.0
static (dmz,outside) 172.16.0.1 access-list TEST
04-22-2010 10:42 AM
Ok, you got it working then?
Please let me know.
Thank you.
Federico.
04-26-2010 04:59 AM
Hi Federico, I have it working for my Lan-to-Lan VPNs now, but not my remote access VPNs - the difference being that L2L VPNs have a subnet in the 172.16.0.0 range, but remote access VPNs have a subnet in the 192.168.0.0 by default; I have one remote access VPN in the172.16.0.0 range and it is working correctly. I have tried adding:
access-list TEST ext perm ip host 192.168.0.1 192.168.0.0 255.255.0.0
but this has not fixed it, so I am stumped at the moment.
04-26-2010 12:56 PM
If the remote VPN access has a different network, you should add that new network under the NAT0 statement and under the split-tunneling ACL (in case you have one defined).
Could you post the relevant part of your configuration to help you out with the remote VPN access?
Federico.
04-29-2010 03:37 AM
Hi Federico, I had an all encompassing NAT0 statement that was stopping it from working (192.168.0.0 /16 to 192.168.0.0 /16) - once I removed this it fixed the problem - so I am able to use my static (dmz,inside) policy NAT from my inside LAN, my LAN-2-LAN VPNs and my Remote Access VPNs.
Thank you very much for all your help.
Now that everything is 'working' I have a new problem in that because this is meant for a web-proxy server, this configuration now stops the true source IP from getting to the server, thereby breaking the logging of web requests for audit purposes. The server 'sees' the firewall interface IP for all web requests - I shall start a new thread for this.
p.s. it will be a nightmare trying to extract the relevant rules to post :-(
04-29-2010 08:04 AM
Hi,
I just replied in your other post.
Let me know please.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide