Can you 'no nat' a static NAT

i.harvey · ‎04-29-2010

Hi - I have this question because I need to log the IP addresses of requests to a web-proxy server.

The current web-proxy server is in a DMZ, traffic is in the identity NAT rules and the source IP is passed through the firewall to the server and logged.

I have set up a test web-proxy server which is in another DMZ, but I need to access this with an 'inside' IP address, rather than the true 'DMZ' IP address. I have tested this using a policy Static NAT (so that VPNs can access it too - please refer to https://supportforums.cisco.com/thread/2013181) and I have everything working except the logging; all requests now log with the firewalls DMZ interface rather than the true source IP.

Is there any way round this?

i.harvey · ‎04-29-2010

This is on a Cisco ASA 5520 ver 7.2(4)

Federico Coto Fajardo · ‎04-29-2010

Ian,

Good to see you again ;-)

So, you have:

LAN 172.16.0.1
DMZ 192.168.0.1

static (dmz,inside) 172.16.0.1 192.168.0.1 netmask 255.255.255.255
This command is to get to the server on the DMZ with the LAN address from the inside interface

static (dmz,out) 172.16.0.1 192.168.0.1
This command is to get to the server on the DMZ with the LAN address from the outside interface

Now, you want to log the requests to these server with the LAN IP?
Out which interface is the logging server?

Federico.

i.harvey · ‎04-29-2010

Good to see you again too, Federico

The logging server is also on the DMZ 192.168.0.1 server (Web Proxy).

I set my web browser PROXY to be 172.16.0.1, my web request gets translated to 192.168.0.1. The server (192.168.0.1) actions my web request and then returns the web page to me - it also logs that I have visited this web sitem but instead of registering my own IP address (e.g.172.16.0.100), it is registering the IP address of the DMZ interface of the Firewall (192.168.0.254).

If I use another PC (with different IP address - 172.16.0.101) with the same web browser PROXY setting, then it also is also registered on the DMZ server 192.168.0.1 with the IP address of the DMZ interface of the Firewall (192.168.0.254).

The DMZ server is not able to log the different source IPs.

Federico Coto Fajardo · ‎04-29-2010

The reason for this is that the logging server is on the DMZ 192.168.0.1 (Web Proxy)

You setup your web browser proxy to 172.16.0.1 on the inside LAN.

When the packets get to the web proxy, they get to the real IP of the proxy (192.168.0.1)

I think that the LAN machines (192.168.0.x) are getting translated to the DMZ IP when going to the DMZ.
This is whay the proxy ''see'' the requests coming from the ASA's DMZ IP instead than coming from the LAN real IPs.

If you for example, set up a NAT rule like this:

static (inside,dmz) 172.16.0.5 172.16.0.5

In this way, when host 172.16.0.5 contacts the proxy, the proxy will see the request from the real IP 172.16.0.5 and
not from the DMZ interface of the ASA.

You can also use a nat0 rule or subnets in the static command.

Federico.

i.harvey · ‎05-04-2010

Hi, I have stripped out a lot of my config and ended up with the following:

access-list TESTextended permit ip host 192.168.0.1 172.16.0.0 255.255.0.0
access-list TESTextended permit ip host 192.168.0.1 192.168.0.0 255.255.0.0
static (dmz,outside) 172.16.0.1 access-list TESTPROXY
static (dmz,inside) 172.16.0.1 access-list TESTPROXY

and it all seems to be working as I hoped.