Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
4
Replies

Setting up INSIDE > DMZ connections

Go to solution
kylebrogers
Level 4
Level 4

‎11-14-2013 12:25 PM - edited ‎03-11-2019 08:05 PM

Running 8.2(2) on an ASA5510

I've created a DMZ using the 172.30.0.0/24 subnet and set up NAT so that I can access the server from the outside.  Everything works great. 

What do I need to do to allow people behind the INSIDE interface to get to the server in the DMZ using its non-public IP (172.30.0.x)?

The ASA is the default route on the internal router so inside traffic for that subnet gets routed to the ASA.

Here is a packet tracer.  Looking at Phase 7 it looks like my basic outbound NAT statement is catching the traffic rather than sending it to the directly connected 172.30.0.0/24 network.   Do I need to make an ACL matching all traffic to 172.30.0.0/24 and make a nonat for that traffic?

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.30.0.0      255.255.255.0   DMZ

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect ftp

service-policy global_policy global

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 10.200.0.0 255.255.0.0

nat-control

  match ip inside 10.200.0.0 255.255.0.0 DMZ any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jumora
Level 7
Level 7

‎11-14-2013 12:54 PM

global (DMZ) 1 interface

Value our effort and rate the assistance!

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to kylebrogers

‎11-14-2013 01:05 PM

Hello,

If you are trying to go from the Inside to DMZ you will need to set the global DMZ as there is no matching global for the nat (inside) 1 0 0 .

The global DMZ has nothing to do with the NAT rule related to INside, DMZ to outside.

Note: There are no stupid questions, all of us are here to keep learning.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jumora
Level 7
Level 7

‎11-14-2013 12:54 PM

global (DMZ) 1 interface

Value our effort and rate the assistance!
0 Helpful

Go to solution
kylebrogers
Level 4
Level 4
In response to jumora

‎11-14-2013 12:59 PM

I apologize if I sound stupid asking this, but wouldn't that simply allow hosts behind the DMZ interface access to the internet through the outside interface?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to kylebrogers

‎11-14-2013 01:05 PM

Hello,

If you are trying to go from the Inside to DMZ you will need to set the global DMZ as there is no matching global for the nat (inside) 1 0 0 .

The global DMZ has nothing to do with the NAT rule related to INside, DMZ to outside.

Note: There are no stupid questions, all of us are here to keep learning.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to kylebrogers

‎11-14-2013 01:08 PM

Look at this with me:

Phase: 7

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 10.200.0.0 255.255.0.0

nat-control

  match ip inside 10.200.0.0 255.255.0.0 DMZ any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 1, untranslate_hits = 0

Additional Information:

When you configure the next command it obligates you to either configure a PAT address with the global command and the matching ID number so that translation occurs, if you don't configure the global statement on the DMZ it will post out a syslog message indicating that "no translation group found".

Traffic flow is from inside to dmz not to outside, if not I would have put "global (outside) 1 interface".

The other option is to configure NAT exemption or static NAT so you don't require to configure the global command.

Value our effort and rate the assistance!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card