11-14-2013 12:25 PM - edited 03-11-2019 08:05 PM
Running 8.2(2) on an ASA5510
I've created a DMZ using the 172.30.0.0/24 subnet and set up NAT so that I can access the server from the outside. Everything works great.
What do I need to do to allow people behind the INSIDE interface to get to the server in the DMZ using its non-public IP (172.30.0.x)?
The ASA is the default route on the internal router so inside traffic for that subnet gets routed to the ASA.
Here is a packet tracer. Looking at Phase 7 it looks like my basic outbound NAT statement is catching the traffic rather than sending it to the directly connected 172.30.0.0/24 network. Do I need to make an ACL matching all traffic to 172.30.0.0/24 and make a nonat for that traffic?
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.30.0.0 255.255.255.0 DMZ
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 10.200.0.0 255.255.0.0
nat-control
match ip inside 10.200.0.0 255.255.0.0 DMZ any
dynamic translation to pool 1 (No matching global)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
11-14-2013 12:54 PM
11-14-2013 01:05 PM
Hello,
If you are trying to go from the Inside to DMZ you will need to set the global DMZ as there is no matching global for the nat (inside) 1 0 0 .
The global DMZ has nothing to do with the NAT rule related to INside, DMZ to outside.
Note: There are no stupid questions, all of us are here to keep learning.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-14-2013 12:54 PM
global (DMZ) 1 interface
11-14-2013 12:59 PM
I apologize if I sound stupid asking this, but wouldn't that simply allow hosts behind the DMZ interface access to the internet through the outside interface?
11-14-2013 01:05 PM
Hello,
If you are trying to go from the Inside to DMZ you will need to set the global DMZ as there is no matching global for the nat (inside) 1 0 0 .
The global DMZ has nothing to do with the NAT rule related to INside, DMZ to outside.
Note: There are no stupid questions, all of us are here to keep learning.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-14-2013 01:08 PM
Look at this with me:
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 10.200.0.0 255.255.0.0
nat-control
match ip inside 10.200.0.0 255.255.0.0 DMZ any
dynamic translation to pool 1 (No matching global)
translate_hits = 1, untranslate_hits = 0
Additional Information:
When you configure the next command it obligates you to either configure a PAT address with the global command and the matching ID number so that translation occurs, if you don't configure the global statement on the DMZ it will post out a syslog message indicating that "no translation group found".
Traffic flow is from inside to dmz not to outside, if not I would have put "global (outside) 1 interface".
The other option is to configure NAT exemption or static NAT so you don't require to configure the global command.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: