Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
2
Replies

Cisco ASA problem with NAT

Jiri Chvatal
Level 1
Level 1

‎10-13-2014 08:50 AM - edited ‎03-11-2019 09:55 PM

Hello,

 

I would like to accomplish following task : 

 

I have some DMZ zone on ASA. It has access only to internet, not to inside network. This is network used for visitors.

I would like to perform nat from inside subnet to DMZ and then from DMZ to outside. Why?

 

We have two facilities, only one ASA as GW. I cannot directly connect second facility to ASA.

 

So let's say I need for example network 172.16.20.0 /24 to be nated to DMZ interface. And DMZ interface has nat (DMZ,outside) source dynamic DMZ-LAN interface

 

Problem I have is, ASA cannot do NAT from inside network to DMZ. Inside to outside works just fine. See the config part below : 

 

interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.21.201 255.255.255.0

 

interface GigabitEthernet0/3
 nameif DMZ
 security-level 50
 ip address 192.168.30.1 255.255.255.0

 

nat (inside,DMZ) after-auto source dynamic WIFI_NAT (172.16.10.0/24) interface - this is command ASA ignores

nat (DMZ,outside) after-auto source dynamic DMZ interface - this command works fine (dmz network can access internet)

nat (inside,outside) after-auto source dynamic (172.16.1.0/24) interface - this command works fine, subnet 172.16.1.0/24 can access internet.

 

Access lists are set for test purpose all to permit ip any any. 

 

Any ideas, why xlate from inside to DMZ is not working?

 

Thank you.

 

 

Labels:
0 Helpful
2 Replies 2

david-swope
Level 1
Level 1

‎10-13-2014 12:51 PM

What code are you running? Why not use object NAT?

 

object network Inside

subnet 192.168.21.0 255.255.255.0

nat (inside,dmz) dynamic interface

 

So anyone coming into the DMZ from the Inside will NAT to 192.168.30.1

 

 

 

0 Helpful

Jiri Chvatal
Level 1
Level 1
In response to david-swope

‎10-14-2014 03:24 AM

I am running 9.1.2.

 

I guess object nat is almost the same as command "nat (inside,DMZ) source dynamic 192.168.21.0/24 interface, isn't it? 

 

And, I tried that, does not work :-)

 

Looks like DMZ interface didn't know where to forward the traffic, so no NAT is performed. I tried to remove default route on outside (to internet) and then "nat (inside,outside)" was not working as well.

 

But I can't add another route for inteface DMZ...And DMZ should know the "default route" by command "nat (DMZ,outside) source dynamic DMZ interface.

Thx anyway for you suggestion.

 

edit : I managed to inside network be translated finally.

 

nat (inside,dmz) source dynamic pat-pool PAT-POOL interface destination static ANY any; PAT-POOL is ip address from DMZ subnet

UDP PAT from inside:10.0.0.2/61028 to dmz:192.168.200.222/61028 flags ri idle 0:00:10 timeout 0:00:30
UDP PAT from inside:10.0.0.2/61060 to dmz:192.168.200.222/61060 flags ri idle 0:00:24 timeout 0:00:30
UDP PAT from inside:10.0.0.2/55226 to dmz:192.168.200.222/55226 flags ri idle 0:00:24 timeout 0:00:30
ICMP PAT from inside:10.0.0.2/1 to dmz:192.168.200.222/1 flags ri idle 0:00:01 timeout 0:00:30
ciscoasa(config)# 

 

But but even if I have "nat (dmz,outside) source dynamic dmz interface" command, 192.168.200.222 cannot reach internet :-/

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card