NAT Issues

Unanswered Question
Jun 21st, 2010
User Badges:

I am having issues resolving dns and I am thinking it is my nat configuration.


I have a cisco asa 5510 with these settings


Outside / inside / dmz1 / dmz2


On my outside iface i have an ip of 192.168.1.### <--- this ip address goes to the ISA


inside iface ip address of 10.100.2.###  this subnet has my dns server with an ip address of 10.100.2.##  the gw for this is 10.100.2.1


The DMZ2 subnet has the ip subnet of 10.0.0.### gw for this is 10.0.0.1


My problem is on my DMZ computers I am unable to access the internet. I have created a NAT rule which translates to my outside iface


I also have a perimeter firewall and an ISA before this firewall...


I can see the traffic in my logs going out from inside to outside but I am unable to hit the net...


Any ideas?


I am thinking it is something in my NAT configuration but not sure what....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 06/21/2010 - 14:23
User Badges:
  • Green, 3000 points or more

Hi,


If I understand correctly, you're trying to access the Internet from the DMZ.

For this you need to NAT the traffic of the DMZ to the outside.


It seems you have a private IP on the outside, so by NATing the DMZ traffic to the outside, you will need another NAT to allow the DMZ to get out to the Internet. My question will be... who is doing NAT for Internet traffic, the ISA server?


Can you permit ICMP through the ASA and see if you can PING the ISA server from the DMZ hosts?


Please answer the questions and post the ouput of:

sh run nat

sh run global

sh run static

sh run access-group

sh run access-list


Federico.

castortroy78 Tue, 06/22/2010 - 06:55
User Badges:

I will post configuration output.


There setup is basically firewall / isa / firewall


the perimeter firewall has public ip on the outside and private on inside which talks to the outside of the isa , the inside of the isa talks to outside of third firewall.... the isa is what allows connections from insdide to get out and reach internet.


The third firewall has these interfaces currently


Outside - Talks to the ISA

Inside - Internal network ( Currently can connect to internet)

DMZ1 - Webserver

DMZ2 - This one has the issues. Cant get to internet.

DMZ3 - ssh server


DMZ2 houses an auth server (radius) and a keytoken auth appliance which talks to the radius server

castortroy78 Tue, 06/22/2010 - 09:48
User Badges:

sh run nat


nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ2_Int) 1 10.2.2.0 255.255.255.0



sh run global


global (outside) 1 192.168.11.15-192.168.11.20 netmask 255.255.255.0
global (outside) 1 192.168.11.3 netmask 255.255.255.255



sh run static




static (inside,inside) 10.0.0.0 xy_network netmask 255.255.255.0
static (inside,outside) 192.168.11.7 10.0.0.12 netmask 255.255.255.255
static (inside,outside) ##.##.##.### 10.0.0.15 netmask 255.255.255.255
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0


sh run access-group


access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group DMZ2_Int_access_in in interface DMZ2_Int



sh run access-list


access-list outside_access_in extended deny ip 127.0.0.0 255.0.0.0 any log
access-list DMZ_access_in extended deny ip 127.0.0.0 255.0.0.0 any log
access-list inside_nat0_outbound extended permit ip any 10.0.1.0 255.255.255.0
access-list inside_access_in extended deny ip 127.0.0.0 255.0.0.0 any log
access-list inside_access_in extended permit ip any any
access-list global_mpc extended permit ip any any
access-list DMZ2_Int_access_in extended permit object-group DM_INLINE_SERVICE_1 any 10.2.2.0 255.255.255.0
access-list DMZ2_Out extended permit ip 10.2.2.0 255.255.255.0 any


Ok here is what I have

Actions

This Discussion