Solved: Re: nat 0 problem plz help

shaila_rox · ‎01-24-2007

hi i m starting my snpa course and while practicing in the lab i encountered this prob plz help me,,

on ASA i m just using 2 interfaces outside and dmz, now see i have one public ip which i have asssigned to my web server on dmz, other than this web server i have 2 more servers ( just assume that they r ftp and mail) ftp server is with the ip 10.0.0.1 and mail has the ip 10.0.0.2 whereas the web server has the ip 30.0.0.1 ( public ip) now i m using nat (inside) 0 30.0.0.1 255.255.255.255 but u can see there is a problem, wat will be the gateway of web server ???? i m using nat 0 so that nat is not performed on web server but surely performs on other servers so how can i do it ??? if eg. i assign 10.0.0.10 to dmz interface that will be the gateway on my ftp and mail server right so wat ip settings i have to do on web server with public ip ???? plz dont ask me to move the web server to other interface tell me the solution in this case only plzzzz

Jon Marshall · ‎01-24-2007

Hi

Nat 0 is as you know for when you do not want to NAT traffic. There are a few reasons why to might want to use this.

1) You have a DMZ segment that contains public IP addressing. If as in your example all your servers had 30.0.0.x addressing and your DMZ interface was on 30.0.0.x then you would want to allow this traffic out unnatted.

2) IPSEC VPN's. With many site to site VPN's between corporate offices you may not want to NAT addresses going between sites.

3) Firewalls used internally within the enterprise. Many companies deploy firewalls internally and they often have no need to NAT the servers behind the firewalls.

HTH

View solution in original post

Jon Marshall · ‎01-24-2007

Hi Jon

If you want to keep the web server on the same interface you need to readdress the web server. It too needs a 10.0.0.x address and it's gateway will be 10.0.0.10 (the DMZ interface).

You then present this web server to the outside as 30.0.0.1 ie.

static (DMZ,outside) 30.0.0.1 10.0.0.x netmask 255.255.255.255

the 30.0.0.1 must be routable to the outside interface of your ASA.

HTH

dbnorton · ‎01-24-2007

Bingo

shaila_rox · ‎01-24-2007

then wats the use of nat 0 command ??? in which case i will be able to use the public ip ? i dont get it plz explain whats the use of this command ?

Jon Marshall · ‎01-24-2007

Hi

Nat 0 is as you know for when you do not want to NAT traffic. There are a few reasons why to might want to use this.

1) You have a DMZ segment that contains public IP addressing. If as in your example all your servers had 30.0.0.x addressing and your DMZ interface was on 30.0.0.x then you would want to allow this traffic out unnatted.

2) IPSEC VPN's. With many site to site VPN's between corporate offices you may not want to NAT addresses going between sites.

3) Firewalls used internally within the enterprise. Many companies deploy firewalls internally and they often have no need to NAT the servers behind the firewalls.

HTH

shaila_rox · ‎01-25-2007

ok thanks i think i got it :) there is 1 more question i want to ask, whenever i apply a new ACL or edit the existing one there is no change on the existing connection why is that ? some say that we can use clear xlate command but it will gonna disrupt all the connections where its possible that like i want to deny few connections but since i m doing clear xlate all the connections will be made new !! so like if some1 is transferring a file from my server he will be disrupted also so how can i solve this problem plz tell me

Jon Marshall · ‎01-25-2007

Yes you will need a clear xlate. When you type in clear xlate it removes all the translations on the pix and as you say this interrupts existing connections.

However you don't need to clear all the xlates. You can just clear the xlate you have made a change for in your access-list.

So you would do a "show xlate" to see the translation you need to clear and then

clear xlate "global ip" "local ip" netmask "netmask"

HTH

shaila_rox · ‎01-25-2007

dont u think thats a limitation ? like why dont the appliance check by itself that which connections are to be filtered as a result of new acl ?? if this is the case like u r telling than how can i make time based acls to work coz they were not working at all when i tried them in the lab and i guess thats the reason that it was not disrupting existing connections right ??? so wats the use of time acls ??? plz tell me and sir is it possible that u can give me ur id ?? so that i can have online conversation with u ???

Jon Marshall · ‎01-25-2007

All makes of firewalls have idiosyncracies about them, you jusy have to get used to them. It's not really a limitation. You might well not want the change to take place until the existing xlate has timed in the case of dynamic NAT.

As for time based acl's. It depends on what you are trying to do. You only need to clear xlates when you need to update the NAT translation for that connection. I'm not sure how this ties in with time based acl's ?

HTH

shaila_rox · ‎01-25-2007

no see, suppose the time on my firewall (ASA 5510 ios 7.0) was 8:12:23 and i defined a time-range with absolute end 8:14 ok ? now i applied it on the acl that was permitting outside traffic to contact my inside pc right ? but even when the time expires the outside pc was still able to communicate ( i issued the ping 10.0.0.1 -t command ) now when i closed the ping and issued again then it didnt work because time acl was not allowing it so thts i m asking why didnt time acl stop it by itself ??? plz tell me and sir u didnt gave me ur id ?