Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA DMZ - Un-NATed DMZ with PUBLIC IPs - Did I do it right?

Hey folks,

Consider the following - is this a "correct" way of making a DMZ where you can assign public IPs to the hosts?

It is expected that hosts placed in this segment has a firewall of its own. Its from ASA software v8.6.

 

interface GigabitEthernet0/1.100
 vlan 100
 nameif X-net-WAN
 security-level 50
 ip address 5.5.5.1 255.255.255.240

!

object network X-net-WAN
 subnet 5.5.5.0 255.255.255.240

!

nat (X-net-WAN,outside) source static X-net-WAN X-net-WAN

!

access-group outside-in in interface outside
!

access-list outside-in extended permit ip any 5.5.5.0 255.255.255.240

!
 

Everything seems to be working fine. A packet-tracer gives the following:

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (X-net-WAN,outside) source static X-net-WAN X-net-WAN
Additional Information:
NAT divert to egress interface X-net-WAN
Untranslate 5.5.5.2/80 to 5.5.5.2/80

 

... snip

 

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: X-net-WAN
output-status: up
output-line-status: up
Action: allow

 

Is the type UN-NAT the same as the old pre v8.3 nat-exempt?

Do you agree on this method or do you have a better way of doing it?

 

Thx in advance!

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

This is a perfectly correct

This is a perfectly correct configuration.

With Packet Tracer (PT) we can inject real packet into the ASA forwarding plane and see what’s going on. For NAT we can have three sections in the PT output (called Phases):

  • NAT – shows how the source of the packet will be translated
  • UN-NAT – shows how the destination of the packet will be translated
  • NAT RPF-CHECK – shows how might/should source of the returning packet be translated (RPF – Reverse Path Forwarding)

Refer: https://supportforums.cisco.com/discussion/11877356/un-nat-question

 

HTH

"Please rate helpful posts"

1 REPLY
Silver

This is a perfectly correct

This is a perfectly correct configuration.

With Packet Tracer (PT) we can inject real packet into the ASA forwarding plane and see what’s going on. For NAT we can have three sections in the PT output (called Phases):

  • NAT – shows how the source of the packet will be translated
  • UN-NAT – shows how the destination of the packet will be translated
  • NAT RPF-CHECK – shows how might/should source of the returning packet be translated (RPF – Reverse Path Forwarding)

Refer: https://supportforums.cisco.com/discussion/11877356/un-nat-question

 

HTH

"Please rate helpful posts"

40
Views
0
Helpful
1
Replies