Hi Jcarvaja :

Thanks for your reply!

If in this case, how can I use any tool to verify the dynamic NAT is working fine?

I have tried to use Packet Tracer in term of ICMP or TCP to track packet from Inside to DMZ or DMZ to Inside, it seems like the packet drops at the NAT's step and cannot reach to the end IP address.

What is the problem and anything can help? Thanks!

Regards,

tangsuan

Hello,

What about the configuration of the nat on the DMZ ?

Can you provide us the full nat configuration.

Regards,

Hi Jcarvaja :

Sorry that I have to amend above description that when doing packet tracing from inside to dmz, it is fine and show no packet drop.

The packet drop happens when doing packet tracing from dmz to inside, it shows packet drop at the step of NAT lookup.

How to ensure also when doing the packet tracing from dmz to inside, it has no packet drop at the step of NAT Lookup?

Is it any way out for it?

Many thanks!

tangsuan

Hi Jcarvaja :

Below is the config file at the portion of nat and global.:

ciscoasa# conf t

ciscoasa(config)# sh run nat

nat (inside) 20 192.168.100.0 255.255.255.0

ciscoasa(config)# sh run global

global (dmz) 20 192.168.50.151-192.168.50.160

It seems like one packet tracing direction from inside to dmz is OK. Is it should be the way and what is the implication that the reverse packet tracing is not OK and will it affect any traffic flow from DMZ to Inside?

If I want to make the packet tracing from DMZ to Inside is OK, any command line can help to do that?

Thanks!

Regards,

tangsuan

Hi Jcarvaja :

Below is another info on the show NAT :

ciscoasa(config)# sh nat

NAT policies on Interface inside:
  match ip inside 192.168.100.0 255.255.255.0 inside any
    dynamic translation to pool 20 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.100.0 255.255.255.0 dmz any
    dynamic translation to pool 20 (192.168.50.151 - 192.168.50.160)
    translate_hits = 12, untranslate_hits = 4
  match ip inside 192.168.100.0 255.255.255.0 outside any
    dynamic translation to pool 20 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.100.0 255.255.255.0 _internal_loopback any
    dynamic translation to pool 20 (No matching global)
    translate_hits = 0, untranslate_hits = 0

NAT policies on Interface dmz:
  match tcp dmz host 192.168.50.220 eq 56789 outside any
    static translation to 192.168.20.1/56789
    translate_hits = 0, untranslate_hits = 0
  match ip dmz host DRMServer outside any
    static translation to MapAddDMZtoOutside
    translate_hits = 0, untranslate_hits = 0

If you need more info, please let me know.

Thanks!

tangsuan

Hello,

I wanted to see the entire Nat configuration, is that all you have ( those 2 nat statements)

nat (inside) 20 192.168.100.0 255.255.255.0

global (dmz) 20 192.168.50.151-192.168.50.160

Is that all you have configured.

I think there is a nat (dmz) global (outside). Am I right?

Hi Jcarvaja :

I just have nat (inside) and global (dmz).

I do not use nat (dmz) and global (outside). Let me know if you need more info or entire config file. Thanks!

regards,

tangsuan

Hello Tang,

Traffic from the inside to the DMZ ( Higher to lower security level traffic) should be allowed and the returning traffic should not need any nat translation as you are not doing any nat on the DMZ,

Just in case lets do the following:

static (dmz,inside) DMZ_network_ip DMZ_network_ip netmask 255.255.255.0

If you can please provide a packet-tracer

Regards,

Rate post that help.

Julio

Hi Jcarvaja :

I tried adding the command line as you suggested :

static (dmz,inside) DMZ_network_ip DMZ_network_ip netmask 255.255.255.0

and the result is the same that the packet is dropped at the NAT by Packet Tracer when doing the TCP from dmz to inside. Please see below picture for reference. I think this should be the way as Dynamic NAT will fail from low security site to higher security site.

Thanks!

Hi Jcarvaja :

OK. I tried to add the command :

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

and this work for both directions. This shows that only static nat can have bi-direction and it overide the Dynamic Nat which still in the config file.

I will close this discussion because it already been answer by you.

thanks!

tangsuan

Hello Tang,

Glad I could help!!

Regards,

Julio