Solved: Using PAT on two interfaces

dprakken1 · ‎10-06-2006

Is it possible to do this? I have an ASA5520 using 4 interfaces:

outside -> sec level 0

DMZ -> sec level 50

store -> sec level 90

inside -> sec level 100

I want PAT for outbound access for DMZ and outside, but I also need PAT for traffic originating in inside, going to store. I cannot get the latter working. I would appreciate any help.

Daved

mmorris11 · ‎10-06-2006

The number 2 instance of nat is invalid:

global (store) 2 interface

global (outside) 1 interface

nat (management) 0 0.0.0.0 0.0.0.0

nat (store) 2 10.2.195.0 255.255.255.0

nat (inside) 1 172.0.0.0 255.0.0.0

You are matching nat criteria and engaging the nat process on the same interface.

To meet your requirements, as I can best understand them, you might try:

nat (dmz) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

This meets the criteria as you stated:

>I want PAT for outbound access for DMZ and >outside

Then I would do this:

nat (inside) 1 172.0.0.0 255.0.0.0

global (store) 1 interface

This meets the criteria as you stated:

>but I also need PAT for traffic originating >in inside, going to store.

The matching criteria on the nat statements as well as the pat addresses on the global statement are presumptuous but tweaks are possible. This should achieve your goals though.

HTH pls rate!

View solution in original post

mmorris11 · ‎10-06-2006

Can you post the current config?

dprakken1 · ‎10-06-2006

Sure ..

ASA Version 7.2(1)

!

hostname lab-asa

domain-name lab.net

enable password xxx

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 65.*.*.* 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.31.1.8 255.255.255.0

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address 192.168.2.66 255.255.255.0

!

interface GigabitEthernet0/3

nameif store

security-level 90

ip address 10.2.195.28 255.255.255.0

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name lab.net

object-group network Inside-all

description Private Lab Networks

network-object 172.2.0.0 255.255.0.0

network-object 172.31.1.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 65.*.*.* eq ftp log debugging

access-list inside_access_in extended permit ip any any

access-list store_access_in extended permit ip any any

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu management 1500

mtu store 1500

mtu inside 1500

mtu dmz 1500

mtu outside 1500

no failover

monitor-interface management

monitor-interface store

monitor-interface inside

monitor-interface dmz

monitor-interface outside

asdm image disk0:/asdm521.bin

no asdm history enable

arp timeout 14400

global (store) 2 interface

global (outside) 1 interface

nat (management) 0 0.0.0.0 0.0.0.0

nat (store) 2 10.2.195.0 255.255.255.0

nat (inside) 1 172.0.0.0 255.0.0.0

static (dmz,outside) 65.215.83.7 192.168.2.67 netmask 255.255.255.255

static (inside,store) 172.0.0.0 172.0.0.0 netmask 255.0.0.0

access-group store_access_in in interface store

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route store 10.0.0.0 255.0.0.0 10.2.195.1 1

route inside 172.0.0.0 255.0.0.0 172.31.1.254 1

route outside 0.0.0.0 0.0.0.0 65.215.83.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username dave password L.JSDLBWD4Ud8j.3 encrypted privilege 15

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 store

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 store

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

jwalker · ‎10-06-2006

Try this...

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

global (dmz) 1 interface

global (store) 1 172.16.1.1

** please rate if it helps **

mmorris11 · ‎10-06-2006

The number 2 instance of nat is invalid:

global (store) 2 interface

global (outside) 1 interface

nat (management) 0 0.0.0.0 0.0.0.0

nat (store) 2 10.2.195.0 255.255.255.0

nat (inside) 1 172.0.0.0 255.0.0.0

You are matching nat criteria and engaging the nat process on the same interface.

To meet your requirements, as I can best understand them, you might try:

nat (dmz) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

This meets the criteria as you stated:

>I want PAT for outbound access for DMZ and >outside

Then I would do this:

nat (inside) 1 172.0.0.0 255.0.0.0

global (store) 1 interface

This meets the criteria as you stated:

>but I also need PAT for traffic originating >in inside, going to store.

The matching criteria on the nat statements as well as the pat addresses on the global statement are presumptuous but tweaks are possible. This should achieve your goals though.

HTH pls rate!