05-01-2012 05:21 AM - edited 02-21-2020 04:37 AM
Hi Guys
I have the following in place
internal network IP: 172.1.1.1
Natted to DMZ IP of 192.1.1.1
I require thart the internal machine is able to access the internet however this is not happening and when checking the traffic logs I can see that it is down to the NAT rule however I require this NAT rule in place as this allows authentication servers to commmuncate with server in the internal network.
My question is how can I get the internal IP to browse the internet without removing the NAT rule?
Kind Regards
05-01-2012 05:27 AM
Hi Mohammad,
What is the IOS version that you are using? also please share the nat statement that you currently have.
Thanks,
Varun
05-01-2012 05:29 AM
If you are using ASA pre 8.3 version, then add another global (outside) statement:
global (outside) 1 interface
If you are using post 8.3 version, then:
object network 172.1.1.0_internal
subnet 172.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
Hoep that helps.
Thanks,
Varun
05-01-2012 05:34 AM
Hi there
Thank you very much for your reply I am using 8.2 (5)
match ip internal host 172.1.1.1 DMZData any
static translation to 192.1.1.1
I didnt quite understand your second reply? I am qutie a newbie so I do apologise, if the above can be done through asdm would be easier
much appreciated
05-01-2012 05:56 AM
Hello Mohamed,
Please follow the below example, my internal network is "10.10.10.0/24", as per setup below my internal network will have access to internet and if you want to allow any other network all you have to do is to add other network address on the next entry on the "allownatout" ACL.
global (outside) 1 interface
nat (inside) 1 access-list allownatout
access-list allownatout extended permit ip 10.10.10.0 255.255.255.0 any
"internal network IP: 172.1.1.1 Natted to DMZ IP of 192.1.1.1"
the above two IP of yours are public IPs, they are not internal private IP.
FYI...
http://en.wikipedia.org/wiki/Private_network
Thanks
Rizwan Rafeek
05-01-2012 06:09 AM
Hi Rizwan
They are indeed but didnt want to share internal range however I will as following
Internal: 10.0.0.0/23
DMZ: 192.168.9.1/24
DMZ interfact points to a fortigate firewall which is my external firewall
Therefore all traffic from the cisco pix on DMZ interfact is indeed outside traffic, I have set my external fireall to accept all for now
I have created ACL to allow any to any IP on the internal network
However one of my servers has a nat rule in place that allows visibility to the DMZ network. Because of this nat rule it cannot browse the internet however it needs it for updates.
It is a static net rule
as follows
match ip il2AHdata host 10.0.0.10 192.168.9.1 any
static translation to 192.168.9.9
When I remove this nat rule the server can access internet as normal.
These are the current traffic logs
|May 01 2012|14:06:13|302013|macserver01|52896|173.194.34.103|80|Built outbound TCP connection 256882 for dmzAHdata:173.194.34.103/80 (173.194.34.103/80) to il2AHdata:macserver01/52896 (192.168.9.9/52896)
6|May 01 2012|14:06:05|302013|macserver01|52865|173.194.34.102|80|Built outbound TCP connection 256879 for dmzAHdata:173.194.34.102/80 (173.194.34.102/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)
6|May 01 2012|14:05:33|302013|macserver01|52865|173.194.34.102|80|Built outbound TCP connection 256853 for dmzAHdata:173.194.34.102/80 (173.194.34.102/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)
6|May 01 2012|14:04:58|302013|macserver01|52865|173.194.34.102|80|Built outbound TCP connection 256821 for dmzAHdata:173.194.34.102/80 (173.194.34.102/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)
6|May 01 2012|14:04:50|302013|macserver01|52847|173.194.34.101|80|Built outbound TCP connection 256820 for dmzAHdata:173.194.34.101/80 (173.194.34.101/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)
6|May 01 2012|14:04:18|302013|macserver01|52847|173.194.34.101|80|Built outbound TCP connection 256689 for dmzAHdata:173.194.34.101/80 (173.194.34.101/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)
6|May 01 2012|14:03:43|302013|macserver01|52847|173.194.34.101|80|Built outbound TCP connection 256669 for dmzAHdata:173.194.34.101/80 (173.194.34.101/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)
You can see from the traffic logs that traffic is coming dow to the NAtted IP and not the real IP and thus no internet.
Am I missing anything?
Kind Regards
05-01-2012 08:07 AM
"DMZ interfact points to a fortigate firewall which is my external firewall"
"Therefore all traffic from the cisco pix on DMZ interfact is indeed outside traffic, I have set my external fireall to accept all for now"
DMZ is perimeter network segment and it is still consider to be internal segment however your external firewall is connected DMZ interface of PIX and the DMZ perimeter segment has been treated like an outside to access to internet cloud.
It is very difficult to analyze and troubleshoot this network.
05-01-2012 08:25 AM
Hi Rizwan
its as folllows
Cisco ASA || DMZ || External Firewall
Cisco has port connected to external firewall
Internal server whose gatway is the cisco is the only server that cannot access the internet because of the NAT rule in place.
When I remove the NAT rule it acccess internet fine
In the internetal IP port on cisco i have enabled any to any ip acl and same with dmz IP interface .
It seems like traffic is trying to go out on internet throug the NATed IP but there is no resposne as it does not know what to do with the natted Ip believe.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide