NAT and Global Statement on outside inetrface on CISCO ASA

Unanswered Question
Sep 1st, 2010
User Badges:

Hello,


I have situation wher all the traffic to the DMZ is PATd and now works as long as users are on Inside lan. Now we want have users connectiong to RA VPN  which Terminates on the Same firewall outside interface access the DMZ.


At present we have


NAT(Inside) 100 1.1.1.1

Global (DMZ1) 100  10.10.10.10  and this works fine.


now we want users on RA VPN IP range 11.11.11.1x  connect to DMZ Hosts.


At present we have Global (Outside) 1 2.2.2.2


what is the best way to allow access 11.11.11.1x range to DMZ1 with all these traffic PATd to 10,10.10.10.


will NAT (Outside) 100 11.11.11.1x work? 


We are running IOS 7.2.3 on CIsoc ASA


Thanks and regards,


Venky

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 09/01/2010 - 09:50
User Badges:
  • Green, 3000 points or more

Hi,


The DMZ is 10.10.10.x

To allow RA VPN clients to connect to the DMZ network you can do the following:


access-list nonat_DMZ permit ip 10.10.10.0 255.255.255.0 11.11.11.0 255.255.255.0

nat (DMZ) 0 access-list nonat_DMZ


In this way, traffic from the VPN clients (11.11.11.x) can access the DMZ (10.10.10.x) without NAT.

And you forget about the nat (outside)...


Note:

You should include the DMZ network in the split-tunneling for the VPN clients (in case using split-tunneling)


Federico.

Venkatesha Bhat Wed, 09/01/2010 - 23:24
User Badges:

Hi Federico,


Thanks!  for the response.


But, if I do NAT 0, VPN Clients IP 11.11.11.x doesnot get PATd to 10.10.10.10.  I want to achive NAT for all the Traffic from RA VPN CLient to Global (DMZ1) 100 10.10.10.10


Regards,


Venky

Nagaraja Thanthry Thu, 09/02/2010 - 05:54
User Badges:
  • Cisco Employee,

Hello Venky,


What Federico suggested is correct in that it will allow DMZ traffic to VPN

clients. If you wish to NAT VPN clients also to 10.10.10.10, then do the

following in addition to what Federico suggested:


Nat (inside) 100 11.11.11.0 255.255.255.0


Since VPN traffic is treated as internal traffic, you apply the rule to

inside interface.


Hope this helps.


Regards,


NT

Venkatesha Bhat Thu, 09/02/2010 - 09:00
User Badges:

Hi,


I tried NAT on Inside Interface and did not help. We dont have nat-control enabled and dont think NAT 0 makes much differece on the DMZ interface. Also, the traffic is intiated from the VPN Client range and not from the DMZ.


Regards,


Venky

Nagaraja Thanthry Thu, 09/02/2010 - 11:09
User Badges:
  • Cisco Employee,

Hello,


Did you configure both of the below lines:


Nat (inside) 100 11.11.11.0 255.255.255.0

Nat (DMZ) 0 access-list "acl name"


The first line is needed if you want to use the DMZ interface IP when

communicating with the DMZ servers. Alternatively, you can use the VPN

client IP itself and not worry about the NAT. Please make sure that the DMZ

servers know how to reach 11.11.11.0 subnet (the default gateway should

point to the ASA or the current default gateway should have a route to

11.11.11.0 pointing to the ASA).


The second line is responsible for the return traffic from DMZ to the VPN

clients. Since (I am assuming) you are accessing the DMZ devices with their

own IP address, when the return traffic hits the ASA, we want the ASA to

bypass the outside interface NAT rules. The second line will ensure of that

part.


Hope this helps.


Regards,


NT

praprama Thu, 09/02/2010 - 07:28
User Badges:
  • Cisco Employee,

Hi Venky,


As mentioned in your original post, all that you will need is a "nat (outside) 100 11.11.11.x 255.255.255.0 outside". The outside keyword at the end is necessary for the NAT to work. You do not need to do NAT exemption. In fact if you have the "nat (dmz) 0 ACL" and the above command, it will cause a conflict and ttraffic will not pass.


Let me know how it goes.


Thanks and Regards,

Prapanch

Venkatesha Bhat Thu, 09/02/2010 - 09:03
User Badges:

Hi Prapanch,

I have tried this and when we do the NAT works and the traffic from Inside to Intenret fails for some reason.


Regards,


Venky.

praprama Thu, 09/02/2010 - 09:48
User Badges:
  • Cisco Employee,

Hi Venky,


I have seen the same bejavior before where enabling outside NAT breaks internet access for inside users. I will suggest you to upgrade your ASA to a more recent code as i see you are running 7.2(3) right now.. maybe to the latest release in 8.0 or 8.2 trail.. It might help us as there are many bug fixes in these releases as compared to the 7.2 trail..


Let me know if this helps!!


Thanks and Regards,

Prapanch

Actions

This Discussion