10-06-2006 07:31 AM - edited 03-09-2019 04:26 PM
Is it possible to do this? I have an ASA5520 using 4 interfaces:
outside -> sec level 0
DMZ -> sec level 50
store -> sec level 90
inside -> sec level 100
I want PAT for outbound access for DMZ and outside, but I also need PAT for traffic originating in inside, going to store. I cannot get the latter working. I would appreciate any help.
Daved
Solved! Go to Solution.
10-06-2006 08:56 AM
The number 2 instance of nat is invalid:
global (store) 2 interface
global (outside) 1 interface
nat (management) 0 0.0.0.0 0.0.0.0
nat (store) 2 10.2.195.0 255.255.255.0
nat (inside) 1 172.0.0.0 255.0.0.0
You are matching nat criteria and engaging the nat process on the same interface.
To meet your requirements, as I can best understand them, you might try:
nat (dmz) 1 192.168.2.0 255.255.255.0
global (outside) 1 interface
This meets the criteria as you stated:
>I want PAT for outbound access for DMZ and >outside
Then I would do this:
nat (inside) 1 172.0.0.0 255.0.0.0
global (store) 1 interface
This meets the criteria as you stated:
>but I also need PAT for traffic originating >in inside, going to store.
The matching criteria on the nat statements as well as the pat addresses on the global statement are presumptuous but tweaks are possible. This should achieve your goals though.
HTH pls rate!
10-06-2006 08:10 AM
Can you post the current config?
10-06-2006 08:35 AM
Sure ..
ASA Version 7.2(1)
!
hostname lab-asa
domain-name lab.net
enable password xxx
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.*.*.* 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.31.1.8 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.2.66 255.255.255.0
!
interface GigabitEthernet0/3
nameif store
security-level 90
ip address 10.2.195.28 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name lab.net
object-group network Inside-all
description Private Lab Networks
network-object 172.2.0.0 255.255.0.0
network-object 172.31.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 65.*.*.* eq ftp log debugging
access-list inside_access_in extended permit ip any any
access-list store_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu management 1500
mtu store 1500
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
monitor-interface management
monitor-interface store
monitor-interface inside
monitor-interface dmz
monitor-interface outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (store) 2 interface
global (outside) 1 interface
nat (management) 0 0.0.0.0 0.0.0.0
nat (store) 2 10.2.195.0 255.255.255.0
nat (inside) 1 172.0.0.0 255.0.0.0
static (dmz,outside) 65.215.83.7 192.168.2.67 netmask 255.255.255.255
static (inside,store) 172.0.0.0 172.0.0.0 netmask 255.0.0.0
access-group store_access_in in interface store
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route store 10.0.0.0 255.0.0.0 10.2.195.1 1
route inside 172.0.0.0 255.0.0.0 172.31.1.254 1
route outside 0.0.0.0 0.0.0.0 65.215.83.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username dave password L.JSDLBWD4Ud8j.3 encrypted privilege 15
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 store
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 store
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
10-06-2006 08:37 AM
Try this...
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface
global (dmz) 1 interface
global (store) 1 172.16.1.1
** please rate if it helps **
10-06-2006 08:56 AM
The number 2 instance of nat is invalid:
global (store) 2 interface
global (outside) 1 interface
nat (management) 0 0.0.0.0 0.0.0.0
nat (store) 2 10.2.195.0 255.255.255.0
nat (inside) 1 172.0.0.0 255.0.0.0
You are matching nat criteria and engaging the nat process on the same interface.
To meet your requirements, as I can best understand them, you might try:
nat (dmz) 1 192.168.2.0 255.255.255.0
global (outside) 1 interface
This meets the criteria as you stated:
>I want PAT for outbound access for DMZ and >outside
Then I would do this:
nat (inside) 1 172.0.0.0 255.0.0.0
global (store) 1 interface
This meets the criteria as you stated:
>but I also need PAT for traffic originating >in inside, going to store.
The matching criteria on the nat statements as well as the pat addresses on the global statement are presumptuous but tweaks are possible. This should achieve your goals though.
HTH pls rate!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: