×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Static NAT dmz to inside

Unanswered Question
Apr 25th, 2012
User Badges:

Hi,


I have a ASA with Inside (10.1.1.1/24) & DMZ (10.2.2.1/24) Interfaces.


I need to access one of server in DMZ (10.2.2.10) from Inside using NAT.

I have following NAT command entered


static (dmz,inside)10.1.1.10 10.2.2.10


is this syntax correct. If yes, how it is different from following command


static (inside,dmz) 10.2.2.10 10.1.1.10

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Dan-Ciprian Cicioiu Wed, 04/25/2012 - 05:20
User Badges:
  • Gold, 750 points or more

Hi Shivaji,


There is wrong in any of the two commands. Depends what are you trying to do :


static (real_interface,nated_interface) translation_ip translated_ip


In the first case :

static (dmz,inside)10.1.1.10 10.2.2.10


The host that will be translated is in DMZ and has the IP 10.2.2.10, It will be transted in the INSIDE as 10.1.1.10


The second case :

static (inside,dmz) 10.2.2.10 10.1.1.10


The host that will be translated is in INSIDE and has the ip 10.1.1.10, it will be translated in the DMZ as 10.2.2.10



Dan

central_bank Wed, 04/25/2012 - 05:58
User Badges:

Hi Dan ,


Thanks,


Is there any restriction, like real_interface should be of higher security level as that of nated_interface

Dan-Ciprian Cicioiu Wed, 04/25/2012 - 06:07
User Badges:
  • Gold, 750 points or more

Hi ,


My pleasure.


There is no restriction regarding the real_interface.

But depending on your software version there is a requirement. In some versions is called NAT-CONTROL.


NAT-CONTROL - requires that the traffic from a higher security level to a lower security level , should be source nated in order to be permited - also from a lower to higher the traffic should have the destination translated. Historicaly speaking on PIX , this requirement could not be disabled and you had to do identity nat. Nat-control appeared on the software version 7.x , and currently dissapeard so if you are using a 8.4 software version nat-control it is not present.


Dan

imramoha Wed, 04/25/2012 - 06:07
User Badges:

Hello,




static (dmz,inside)10.1.1.10 10.2.2.10


when packet with destination IP 10.1.1.10 reaches inside interface of ASA it

is redirected to 10.2.2.10 on DMZ.


static (inside,dmz) 10.2.2.10 10.1.1.10


When packet with destination IP 10.2.2.10 hits DMZ it is redirected to

10.1.1.10 on inside



Thanks & Regards

Mohammed Imran

Dan-Ciprian Cicioiu Wed, 04/25/2012 - 06:11
User Badges:
  • Gold, 750 points or more

Hi Mohammed,


My understanding on static NAT is that is bidirectional , so it does not matter where the packet was received.

Are you telling that this is not the case ?


Dan

Dan-Ciprian Cicioiu Fri, 04/27/2012 - 09:44
User Badges:
  • Gold, 750 points or more

Hi Ryan ,


Thank you for the link.


My post was directed to the fact that the static nat does not change only the DESTINATION.


As you can see in my last post , the static nat is bidirectional. This means that taking for example


static (dmz,inside)10.1.1.10 10.2.2.10


- if the traffic has been initiated from DMZ its changes the SOURCE.

- if the traffic has been initiated from INSIDE its changes the DESTINATION.


So the static NAT translates both source OR destination , depending on where the packet was initiated.


Dan

Actions

This Discussion

Related Content