Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT - Inside to DMZ via Public IP

Hi all,

Another DMZ question I'm afraid. I'm trying to achieve the following and any assistance would be great.

I want my Inside to PAT'd to the Outside and DMZ, I also need my Inside to able to access the DMZ via external (212*.*.0) as well as the internal (10.0.0.0) addresses. I can get the Inside connected to the DMZ / Outside via PAT and the static map works for Outside connections. When I add the line (bellow), it not only fails to work but it stops the Inside accessing the DMZ on 10.0.0.2 (via PAT).

“static (DMZ,Inside) 212.*.*.2 10.0.0.2 netmask” 255.255.255.255”

The ACL's on all interfaces are set Permit IP any to any.

ASA 5510 (8.0)

Inside 192.168.1.0/24

DMZ 10.0.0.0/16

Outside 212.*.*.*/26

global (Outside) 101 interface

global (DMZ) 1 interface

nat (Inside) 1 access-list Inside_nat_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

static (DMZ,Outside) 212.*.*.2 10.0.0.2 netmask 255.255.255.255

static (DMZ,Inside) 212.*.*.2 10.0.0.2 netmask 255.255.255.255

Many thanks.

6 REPLIES
New Member

Re: NAT - Inside to DMZ via Public IP

In the first command you say the outside interface is assouciated with the 212.***** ip address, in the next command you say that it is associated to the inside interface, A single subnet cannot be associated to two differnet interfaces, Thats my logic

Anyone else could explain better ??

New Member

Re: NAT - Inside to DMZ via Public IP

Hi Victor,

Thanks for your response. My understanding from the documentation was that traffic can't traverse between interfaces without a NAT. So every interface (Outside and Inside) which needs to have visibility of the address (212.*.*.2) needs a static NAT connecting them to the source IP. I think your correct in that you couldn't associate a subnet with more than one interface but these static NAT's have a host mask. I believe this is a form of hair pinning.

Regards.

New Member

Re: NAT - Inside to DMZ via Public IP

You must have misinterpreted the documenttion u read, NAT is not mandatory for traffic to traverse interfaces.

Traffic can traverse interfaces using mere routing on a PIX or ASA. You only require appropriate access-lists allowing traffic into the higher security interfaces.

New Member

Re: NAT - Inside to DMZ via Public IP

Sorry, i was driving to work and suddenly i realised that i screwed up the last reply completely, u indeed read the documentation right and NAT is mandatory to traverse interface

but instead of using a different Ip to NAT

you can use something like

static (inside, DMZ)10.0.0.2 10.0.0.2 netmask 255.255.255.255

this will do the job without changing anything.

Sorry Again for wrong replies

New Member

Re: NAT - Inside to DMZ via Public IP

Hi Victor,

No problem, any feed back is very much appreciated.

From what I can see, the line bellow…

.

static (inside, DMZ)10.0.0.2 10.0.0.2 netmask 255.255.255.255

…would present the Inside address of 10.0.0.2 to the DMZ as 10.0.0.2. I would have transposed the interfaces but I guess static NAT's are bi-directional so it doesn't make any difference. I would have thought that the NAT to DMZ PAT would have taken care of this though.

global (DMZ) 1 interface

nat (Inside) 1 access-list Inside_nat_outbound

Should I remove my PAT and replace it with your suggested static NAT?

Cheers.

New Member

Re: NAT - Inside to DMZ via Public IP

your config is good enough, it must work without any issues.

292
Views
0
Helpful
6
Replies