08-20-2013 12:59 PM - edited 03-11-2019 07:28 PM
I added a NAT exemption for a server in my DMZ for a subnet Elm and Roc
nat (Inside,Any) source static Elm Roc Elm Roc destination static DMZ-Sever DMZ-Server
About 20 minutes after adding this rule to my Firewall, clients in the Elm Subnet were disconnected from Windows server, AS/400s, DNS
The Roc sunbet was connected through a IPSec VPN tunnel through this same firewall. My Cicso Core Router 10.0.0.1 is the default gateway for devices in the Elm subnet, Cisco ASA 10.0.0.254 (this is the last resort route)
The issues were not all at once it would happen, then some stuff would work and then drop and not connect.
After I removed this NAT command (which took 4 hours to identify this was the issue) with in 15 minutes the servers, AS/400 and DNS all started working.
I am being asked to Identify why this command would cause this issue and I don't know why it did!
Could anyone shead some light onto this for me?
Leo
08-20-2013 01:25 PM
Hi,
I guess the above NAT is not the exact format of the command you had. Mainly because you have "Elm Roc Elm Roc" as the "source" parameters. (the source static should be followed by a single object defining the real source and a single object defining the mapped source)
I would presume that the objects are actuall named something like "Elm_Roc" or "Elm-Roc" ?
What the above configuration essentially tells us
So we would really need to know the specific configurations and routing of the ASA to determine if this configurations is the one you should have configured (though naturally it seems it wasnt the correct one)
If I would presume that you wanted to prevent any NAT for a DMZ server when the destination was some INSIDE network then I would have configured the NAT something like this
object network LAN
subnet 10.10.10.0 255.255.255.0
object network DMZ-SERVER
host 192.168.10.10
nat (DMZ,LAN) source static DMZ-SERVER DMZ-SERVER destination static LAN LAN
This would essentially mean that the hosts on the network 10.10.10.0/24 would be able to connect to the DMZ server with both source and destination IP address staying the same. This naturally applies for the other direction.
So to get to the bottom of this we need more specific information about the current setup (routing table, information related to the above NAT configurations actual networks/hosts addresses) and what stopped working (for example source and destination IP address)
- Jouni
08-21-2013 06:18 AM
Workstations (10.0.1.1 /16) telneting to as/400
Workstations (10.0.1.1 /16) connecting windows file sharing, DNS, DC, Web server
Elm - 10.0.0.0 /16 (LAN)
Roc - 10.20.0.0 /16 (over a VPN tunnel)
MPLS network 10.30 - 100 .0.0 /16
DMZ - 10.1.0.0 /16 (DMZ network)
AS/400 10.0.101.1 /16
Server 10.0.100.1 /16
Core Router 10.0.250.1 /16 (this is all machines in Elm default Gateway)
Firewall Inside 10.0.250.200 /16
Firewall DMZ 10.1.250.1 /16
Firewall Outside 3.3.3.3
DMZ -Server 10.1.100.1 /16
Routes
The Core Router -- 0.0.0.0 0.0.0.0 10.0.250.200
multiple routes for MPLS for -- 10.30 - 100
-- 10.20.0.0 255.255.0.0 10.0.250.200
The Firewall -- 0.0.0.0 0.0.0.0 1.1.1.1
-- 10.0.0.0 255.0.0.0 10.0.250.1
-- 10.20.0.0 255.255.0.0 2.2.2.2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide