NAT Rule does not allow internet access

Unanswered Question
May 1st, 2012

Hi Guys

I have the following in place

internal network IP: 172.1.1.1

Natted to  DMZ IP of 192.1.1.1

I require thart the internal machine is able to access the internet however this is not happening and when checking the traffic logs I can see that it is down to the NAT rule however I require this NAT rule in place as this allows authentication servers to commmuncate with server in the internal network.

My question is how can I get the internal IP to browse the internet without removing the NAT rule?

Kind Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 2 (1 ratings)
varrao Tue, 05/01/2012 - 05:27

Hi Mohammad,

What is the IOS version that you are using? also please share the nat statement that you currently have.

Thanks,

Varun

varrao Tue, 05/01/2012 - 05:29

If you are using ASA pre 8.3 version, then add another global (outside) statement:

global (outside) 1 interface

If you are using post 8.3 version, then:

object network 172.1.1.0_internal

  subnet 172.1.1.0 255.255.255.0

  nat (inside,outside) dynamic interface

Hoep that helps.

Thanks,

Varun

mohamedridha Tue, 05/01/2012 - 05:34

Hi there

Thank you very much for your reply I am using 8.2 (5)

match ip internal host 172.1.1.1 DMZData any

    static translation to 192.1.1.1

I didnt quite understand your second reply? I am qutie a newbie so I do apologise, if the above can be done through asdm would be easier

much appreciated

rizwanr74 Tue, 05/01/2012 - 05:56

Hello Mohamed,

Please follow the below example, my internal network is "10.10.10.0/24", as per setup below my internal network will have access to internet and if you want to allow any other network all you have to do is to add other network address on the next entry on the "allownatout" ACL.

global (outside) 1 interface

nat (inside) 1 access-list allownatout

access-list allownatout extended permit ip 10.10.10.0 255.255.255.0 any

"internal network IP: 172.1.1.1 Natted to  DMZ IP of 192.1.1.1"

the above two IP of yours are public IPs, they are not internal private IP.

FYI...

http://en.wikipedia.org/wiki/Private_network

Thanks

Rizwan Rafeek

mohamedridha Tue, 05/01/2012 - 06:09

Hi Rizwan

They are indeed but didnt want to share internal range however I will as following

Internal: 10.0.0.0/23

DMZ: 192.168.9.1/24

DMZ interfact points to a fortigate firewall which is my external firewall

Therefore all traffic from the cisco pix on DMZ interfact is indeed outside traffic, I have set my external fireall to accept all for now

I have created ACL to allow any to any IP on the internal network

However one of my servers has a nat rule in place that allows visibility to the DMZ network. Because of this nat rule it cannot browse the internet however it needs it for updates.

It is a static net rule

as follows

match ip il2AHdata host 10.0.0.10 192.168.9.1 any

    static translation to 192.168.9.9

When I remove this nat rule the server can access internet as normal.

These are the current traffic logs

|May 01 2012|14:06:13|302013|macserver01|52896|173.194.34.103|80|Built outbound TCP connection 256882 for dmzAHdata:173.194.34.103/80 (173.194.34.103/80) to il2AHdata:macserver01/52896 (192.168.9.9/52896)

6|May 01 2012|14:06:05|302013|macserver01|52865|173.194.34.102|80|Built outbound TCP connection 256879 for dmzAHdata:173.194.34.102/80 (173.194.34.102/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)

6|May 01 2012|14:05:33|302013|macserver01|52865|173.194.34.102|80|Built outbound TCP connection 256853 for dmzAHdata:173.194.34.102/80 (173.194.34.102/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)

6|May 01 2012|14:04:58|302013|macserver01|52865|173.194.34.102|80|Built outbound TCP connection 256821 for dmzAHdata:173.194.34.102/80 (173.194.34.102/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)

6|May 01 2012|14:04:50|302013|macserver01|52847|173.194.34.101|80|Built outbound TCP connection 256820 for dmzAHdata:173.194.34.101/80 (173.194.34.101/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)

6|May 01 2012|14:04:18|302013|macserver01|52847|173.194.34.101|80|Built outbound TCP connection 256689 for dmzAHdata:173.194.34.101/80 (173.194.34.101/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)

6|May 01 2012|14:03:43|302013|macserver01|52847|173.194.34.101|80|Built outbound TCP connection 256669 for dmzAHdata:173.194.34.101/80 (173.194.34.101/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)

You can see from the traffic logs that traffic is coming dow to the NAtted IP and not the real IP and thus no internet.

Am I missing anything?

Kind Regards

rizwanr74 Tue, 05/01/2012 - 08:07

"DMZ interfact points to a fortigate firewall which is my external firewall"

"Therefore all traffic from the cisco pix on DMZ interfact is indeed outside traffic, I have set my external fireall to accept all for now"

DMZ is perimeter network segment and it is still consider to be internal segment however your external firewall is connected DMZ interface of PIX and the DMZ perimeter segment has been treated like an outside to access to internet cloud.

It is very difficult to analyze and troubleshoot this network.

mohamedridha Tue, 05/01/2012 - 08:25

Hi Rizwan

its as folllows

Cisco ASA || DMZ || External Firewall

Cisco has port connected to external firewall

Internal server whose gatway is the cisco is the only server that cannot access the internet because of the NAT rule in place.

When I remove the NAT rule it acccess internet fine

In the internetal IP port on cisco i have enabled any to any ip acl and same with dmz IP interface .

It seems like traffic is trying to go out on internet throug the NATed IP but there is no resposne as it does not know what to do with the  natted Ip believe.

Actions

Login or Register to take actions

This Discussion

Posted May 1, 2012 at 5:21 AM
Stats:
Replies:7 Avg. Rating:2
Views:1966 Votes:0
Shares:0

Related Content

Discussions Leaderboard