01-28-2009 02:52 AM - edited 03-11-2019 07:43 AM
Hi all,
Another DMZ question I'm afraid. I'm trying to achieve the following and any assistance would be great.
I want my Inside to PAT'd to the Outside and DMZ, I also need my Inside to able to access the DMZ via external (212*.*.0) as well as the internal (10.0.0.0) addresses. I can get the Inside connected to the DMZ / Outside via PAT and the static map works for Outside connections. When I add the line (bellow), it not only fails to work but it stops the Inside accessing the DMZ on 10.0.0.2 (via PAT).
âstatic (DMZ,Inside) 212.*.*.2 10.0.0.2 netmaskâ 255.255.255.255â
The ACL's on all interfaces are set Permit IP any to any.
ASA 5510 (8.0)
Inside 192.168.1.0/24
DMZ 10.0.0.0/16
Outside 212.*.*.*/26
global (Outside) 101 interface
global (DMZ) 1 interface
nat (Inside) 1 access-list Inside_nat_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) 212.*.*.2 10.0.0.2 netmask 255.255.255.255
static (DMZ,Inside) 212.*.*.2 10.0.0.2 netmask 255.255.255.255
Many thanks.
01-28-2009 08:48 AM
In the first command you say the outside interface is assouciated with the 212.***** ip address, in the next command you say that it is associated to the inside interface, A single subnet cannot be associated to two differnet interfaces, Thats my logic
Anyone else could explain better ??
01-28-2009 09:06 AM
Hi Victor,
Thanks for your response. My understanding from the documentation was that traffic can't traverse between interfaces without a NAT. So every interface (Outside and Inside) which needs to have visibility of the address (212.*.*.2) needs a static NAT connecting them to the source IP. I think your correct in that you couldn't associate a subnet with more than one interface but these static NAT's have a host mask. I believe this is a form of hair pinning.
Regards.
01-28-2009 06:03 PM
You must have misinterpreted the documenttion u read, NAT is not mandatory for traffic to traverse interfaces.
Traffic can traverse interfaces using mere routing on a PIX or ASA. You only require appropriate access-lists allowing traffic into the higher security interfaces.
01-28-2009 08:49 PM
Sorry, i was driving to work and suddenly i realised that i screwed up the last reply completely, u indeed read the documentation right and NAT is mandatory to traverse interface
but instead of using a different Ip to NAT
you can use something like
static (inside, DMZ)10.0.0.2 10.0.0.2 netmask 255.255.255.255
this will do the job without changing anything.
Sorry Again for wrong replies
01-29-2009 02:19 AM
Hi Victor,
No problem, any feed back is very much appreciated.
From what I can see, the line bellowâ¦
.
static (inside, DMZ)10.0.0.2 10.0.0.2 netmask 255.255.255.255
â¦would present the Inside address of 10.0.0.2 to the DMZ as 10.0.0.2. I would have transposed the interfaces but I guess static NAT's are bi-directional so it doesn't make any difference. I would have thought that the NAT to DMZ PAT would have taken care of this though.
global (DMZ) 1 interface
nat (Inside) 1 access-list Inside_nat_outbound
Should I remove my PAT and replace it with your suggested static NAT?
Cheers.
01-29-2009 10:00 PM
your config is good enough, it must work without any issues.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: