Re: NAT pool for accessing DMZ

jstabl · ‎09-25-2008

I am trying to figure out why I would need a NAT pool for local users accessing the DMZ. Currently I am in the mist of migrating from PIX 515e to ASA 5510 and I'm reviewing my configs. I have the following line in my PIX:

global (dmz) 10 10.1.4.50-10.1.4.99

And when I look at logs on servers on the DMZ users that are coming from the 10.1.1.x/24 network are being assigned a random IP from that 10.1.4.50 -99 block. I would rather not do this if I dont need to.

Any ideas or suggestions?

andrew.prince · ‎09-25-2008

You may be filtering on the servers in the DMZ which IP addresses can access certain services on the DMZ servers?

You will see another config line - something like:-

nat (inside) 10 - blah blah ?

If you remove this - the inside IP addresses will not longer be natt'ed.

BEFORE you remove anything - check with your server admins to see if there is a specific reason why you would NAT from the Inside to the DMZ.

HTH>

jstabl · ‎09-25-2008

Hmm. Ok I have the following.

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

Here is the ACL that corresponds to the NAT line:

access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.1.2.0 255.255.255.0 10.1.5.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.1.3.0 255.255.255.0 10.1.5.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.1.5.0 255.255.255.0 10.1.5.0 255.255.255.0

andrew.prince · ‎09-25-2008

OK - you have supplied the no NAT? What is the IP range of the DMZ?

Marwan ALshawi · ‎09-25-2008

u can make one two one nating between the two interfaces because the nat control require nating between interface

or ucan make nat exmption between both interfaces

for example

static (inside, DMZ) 10.10.1.4.0 192.168.1.0 netmask 255.255.255.0

asumenig the inside network is 192.168.1.0/24

the access-list 100 permit ip 10.10.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-group 100 ininterface DMZ

or

make it like

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.4.0 255.255.255.0

access-list 101 permit ip 10.10.4.0 255.255.255.0 192.168.1.0 255.255.255.0

then make nat exmption

nat (inside) 0 access-list 100

nat (dmz) 0 access-list 101

access-group 101 in interface DMZ

good luck

if helpful Rate

jstabl · ‎09-25-2008

my DMZ IP is 10.1.4.0/24

access-list dmz_access_in permit tcp 10.1.4.0 255.255.255.0 host 10.1.4.21

access-list dmz_access_in permit udp 10.1.4.0 255.255.255.0 host 10.1.4.21 eq domain

access-list dmz_access_in permit tcp 10.1.4.0 255.255.255.0 host 10.1.4.25

access-list dmz_access_in permit udp 10.1.4.0 255.255.255.0 host 10.1.4.25 eq domain

access-list dmz_access_in permit ip 10.1.4.0 255.255.255.0 any

access-list dmz_access_in permit tcp any host 10.1.4.24

access-list dmz_access_in permit udp any host 10.1.4.24

access-list dmz_access_in permit icmp any host 10.1.4.24

access-list dmz_access_in permit ip 10.1.4.0 255.255.255.0 host 10.1.4.32

access-list dmz_access_in permit tcp any host 10.1.4.26 object-group Notes

access-list dmz_access_in permit tcp host win_webserver host 10.1.4.26 eq smtp

jstabl · ‎09-25-2008

Ok I was doing some thinking and think that I should and could use PAT to access the DMZ. So all traffic from 10.1.x.x going to DMZ on 10.1.4.x would appear to come from and example 10.1.4.254. That would let me know when I see the address its coming from my inside network.

andrew.prince · ‎09-25-2008

It's up to you.