Solved: Internal server NAT to DMZ

Jason Jackal · ‎05-21-2012

Folks:

I need a little help with this question since I never encounted a deployment like this.

I currently have a server on the internal network that is has been NAT to the subnet of the DMZ. I cannot ping any internal servers from the DMZ that has not been NAT; however, I can ping DMZ servers from the Internal network.

I am want to create ACL rules and block traffic to and from the computers/servers that have been NAT to the DMZ; however, my rules do not work. I am suspecting this is because - dispite the servers being in the Internal network, the firewall sees the NAT table as bing in same DMZ interface.

Why would a network engineer NAT internal servers to the DMZ? Wouldn't enabiling routing be better, which would allow ACL to be used to block traffic from the DMZ?

Julio Carvajal · ‎05-22-2012

Hello Jason,

If the traffic is always going to be innitated from the Inside side you do not need an ACL, now if the traffic needs to be innitiated from the 168.1.x network you will need to have a static one to one NAT and then and ACL allowing that traffic in this case to the 192.168.1.x host

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎05-21-2012

Hello Jason,

I guess you are running a version lower than 8.3 where NAT control is enabled by default, that being said NAT will need to exist in order for a packet to traverse an interface.

If you just want to use routing add the following command:

no nat-control

Now I would say your DMZ has a lower security level than the INSIDE interface so by default all traffic innitiated on the DMZ to the INSIDE will be denied based on that.

If you want to allow just ICMP from DMZ to In you will need to create an ACL an put it in the DMZ interface in direction.

Regards.

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jason Jackal · ‎05-22-2012

jcarvaja:

Thank you for your insight.

You are correct – I just reviewed and verified that I am using 8.2(1). After I reviewed the network I discovered a few new items, which I reflected on my new topology map. I hope this also helps in determining my issue.

I appreciate your help and suggestions; however, I am a little baffled by your suggestion about an ACL on the DMZ interface. If system 192.168.5.11 is NAT to 192.168.1.11 and I want to block all traffic expect port TCP 1434, then what will my policy look like?

access-list 101 permit tcp 192.168.1.23 0.0.0.0 192.168.5.11 0.0.0.0 1434

access-list 101 deny any any

or would it be

access-list 101 permit tcp 192.168.1.23 0.0.0.0 192.168.1.11 0.0.0.0 1434

access-list 101 deny any any

Julio Carvajal · ‎05-22-2012

Hello Jason,

If the traffic is always going to be innitated from the Inside side you do not need an ACL, now if the traffic needs to be innitiated from the 168.1.x network you will need to have a static one to one NAT and then and ACL allowing that traffic in this case to the 192.168.1.x host

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jason Jackal · ‎05-22-2012

I see what you are saying...thank you again for helping me through this issue and making me a better network engineer.

Julio Carvajal · ‎05-22-2012

Hello Jason,

Thanks for the comment and its my pleasure..

Any other question just let know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC