static nats and dmz access to the internet

Unanswered Question
Jul 15th, 2010

Using an ASA5500, I have the following allowing the outside to access servers on the dmz:

static (dmz,outside) 9.9.9.2 192.168.1.2 netmask 255.255.255.255
static (dmz,outside) 9.9.9.3 192.168.1.3 netmask 255.255.255.255
static (dmz,outside) 9.9.9.4 192.168.1.4 netmask 255.255.255.255

!

access-list incoming_outside extended permit tcp any host 9.9.9.2 eq www

access-list incoming_outside extended permit tcp any host 9.9.9.3 eq https

access-list incoming_outside extended permit tcp any host 9.9.9.4 eq www

!

access-group incoming_outside in interface outside

So the outside can access the public address on the respective ports, and that works ok.

However, we also want to allow DMZ servers to access the Internet, so we have the following:

nat (dmz) 2 192.168.1.0 255.255.255.0

global (outside) 2 9.9.9.100

But the question is, when dmz servers access the internet should they be pat'ed to their static translation IP address or to global 2?

For example, if 192.168.1.2 is to access the internet, should it be pat'ed to 9.9.9.2 or 9.9.9.100

I think the issue we are facing is that it goes out as one public IP and comes back as another public IP which could be the reason dmz cannot get to the internet.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kevin Redmon Thu, 07/15/2010 - 13:32

Ron,

The order-of-operations of NAT is as below:

1.) nat 0 access-list (nat-exempt)

2.) existing translations

3.) match static commands (first match)

- static NAT with and without access-list

- static PAT with and without access-list

4.) Match NAT commands

- nat access-list (first match)

- nat (best match)

With that being said, if a DMZ host 192.168.1.2 does NOT belong to the nat-exempt access-list rule or have an existing translation, it will go out as the 9.9.9.2.

Any syslogs that you can provide (at the debug level) with the error that you are getting are greatly appreciated.

Best Regards,

Kevin

Nagaraja Thanthry Thu, 07/15/2010 - 13:48

Hello,

Are you able to access your servers from internet? If that is working, then there should not be any issues from the NAT side. I am thinking the issue is with your DNS settings. Are you using DNS server on the inside interface for address resolution? If yes, do you have rules to allow that communication? Can you try to configure 4.2.2.2 as your DNS server and see if you can browse internet? Also, if you have any access-list on the DMZ interface, make sure that internet traffic is allowed.

Note: When you go to internet from DMZ servers, they will take their static translationa addresses. If you do not have a static translation, then they will go with dynamic pool.

Hope this helps.

Regards,

NT

Actions

This Discussion