Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1639
Views
0
Helpful
2
Replies

Questions Regarding NAT on PIX/ASA

Go to solution
priedman1
Level 1
Level 1

‎04-12-2010 08:23 AM - edited ‎03-11-2019 10:31 AM

Hello Everyone,

I've done a bit of reading on the topic of NAT on the PIX/ASA but still have a few questions that I'm looking for clarification on.

Based on the diagram attached, I'm thinking there are 3 ways to get this working with NAT. There is no need on the PIX/ASA in the diagram to allow the users to access the Internet. The Internet here is used only as a method to establish a LAN-to-LAN IPSec tunnel.


Method 1: no nat-control command. This should exempt ALL traffic from NAT, right?

----------------------------

Method 2: Static command

static (Inside,DMZ) 10.132.1.0 10.132.1.0 netmask 255.255.255.0 0 0
static (Inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.240.0 0 0
static (Inside,DMZ) 10.2.2.0 10.2.2.0 netmask 255.255.240.0 0 0
static (Inside,DMZ) 10.3.3.0 10.3.3.0 netmask 255.255.240.0 0 0

static (DMZ,Inside) 10.132.65.0 10.132.65.0 netmask 255.255.255.0 0 0
static (DMZ,Inside) 10.132.65.0 10.132.65.0 netmask 255.255.255.0 0 0

static (Outside,DMZ) 10.16.1.0 10.16.1.0 255.255.255.0

-------------------------

Method 3: NAT/Global command

nat (Inside) 0 10.132.1.0 255.255.255.0
nat (Inside) 0 10.1.1.0 255.255.255.0
nat (Inside) 0 10.2.2.0 255.255.255.0
nat (Inside) 0 10.3.3.0 255.255.255.0

nat (DMZ) 0 10.132.65.0 255.255.255.0

nat (Outside) 0 10.16.1.0 255.255.255.0

or possibly this could work as well?

nat (Inside) 0 0.0.0.0 0.0.0.0

nat (DMZ) 0 0.0.0.0 0.0.0.0

nat (Outside) 0 0.0.0.0 0.0.0.0

- Do I also need "global" statements like these in order for the "nat" commands to work properly or is that just needed if I was sending traffic to the Internet so the clients could browse websites?

global (Outside) 0 interface
global (DMZ) 0 interface
global (Inside) 0 interface

- For traffic going from an interface with higher security level to a lower one, traffic should be allowed I believe.

- If going from a lower security level to a higher one, I know I need an ACL to permit the traffic.

- Do I also need a static NAT translation?

- Would the "nat (DMZ) 0 10.132.65.0 255.255.255.0" command work to exempt NAT on traffic from the lower security level interface to a higher one or would only the static NAT translation be looked at for this?

- If both "static" and "nat" commands, are the "static" commands looked at first before the "nat" commands?

Thanks for the help!

-Pete

Labels:
Preview file
53 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-12-2010 08:27 AM

Hi,

For traffic to flow from lower-security to higher-security interface you need:

STATIC NAT and ACL

If you have NAT-CONTROL disabled, you only need ACL

For traffic to flow from higher-security to lower-security interface you need:

NAT

If you have NAT-CONTROL disabled, you don't need any other commands.

If there's an existing ACL, it should allow the traffic.

NAT order of operation:

1. NAT 0 access-list

2. STATIC NAT/PAT

3. Policy NAT

4. Dynamic NAT/PAT

Federico.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-12-2010 08:27 AM

Hi,

For traffic to flow from lower-security to higher-security interface you need:

STATIC NAT and ACL

If you have NAT-CONTROL disabled, you only need ACL

For traffic to flow from higher-security to lower-security interface you need:

NAT

If you have NAT-CONTROL disabled, you don't need any other commands.

If there's an existing ACL, it should allow the traffic.

NAT order of operation:

1. NAT 0 access-list

2. STATIC NAT/PAT

3. Policy NAT

4. Dynamic NAT/PAT

Federico.

0 Helpful

Go to solution
priedman1
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-12-2010 11:00 AM

Thanks for the help Frederico,

This is very helpful.

-Pete

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card