Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Setting up INSIDE > DMZ connections

Running 8.2(2) on an ASA5510

I've created a DMZ using the 172.30.0.0/24 subnet and set up NAT so that I can access the server from the outside.  Everything works great. 

What do I need to do to allow people behind the INSIDE interface to get to the server in the DMZ using its non-public IP (172.30.0.x)?

The ASA is the default route on the internal router so inside traffic for that subnet gets routed to the ASA.

Here is a packet tracer.  Looking at Phase 7 it looks like my basic outbound NAT statement is catching the traffic rather than sending it to the directly connected 172.30.0.0/24 network.   Do I need to make an ACL matching all traffic to 172.30.0.0/24 and make a nonat for that traffic?

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.30.0.0      255.255.255.0   DMZ

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect ftp

service-policy global_policy global

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 10.200.0.0 255.255.0.0

nat-control

  match ip inside 10.200.0.0 255.255.0.0 DMZ any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Setting up INSIDE > DMZ connections

global (DMZ) 1 interface

Value our effort and rate the assistance!

Setting up INSIDE > DMZ connections

Hello,

If you are trying to go from the Inside to DMZ you will need to set the global DMZ as there is no matching global for the nat (inside) 1 0 0 .

The global DMZ has nothing to do with the NAT rule related to INside, DMZ to outside.

Note: There are no stupid questions, all of us are here to keep learning.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
4 REPLIES
Silver

Setting up INSIDE > DMZ connections

global (DMZ) 1 interface

Value our effort and rate the assistance!
New Member

Setting up INSIDE > DMZ connections

I apologize if I sound stupid asking this, but wouldn't that simply allow hosts behind the DMZ interface access to the internet through the outside interface?

Setting up INSIDE > DMZ connections

Hello,

If you are trying to go from the Inside to DMZ you will need to set the global DMZ as there is no matching global for the nat (inside) 1 0 0 .

The global DMZ has nothing to do with the NAT rule related to INside, DMZ to outside.

Note: There are no stupid questions, all of us are here to keep learning.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Silver

Setting up INSIDE > DMZ connections

Look at this with me:

Phase: 7

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 10.200.0.0 255.255.0.0

nat-control

  match ip inside 10.200.0.0 255.255.0.0 DMZ any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 1, untranslate_hits = 0

Additional Information:

When you configure the next command it obligates you to either configure a PAT address with the global command and the matching ID number so that translation occurs, if you don't configure the global statement on the DMZ it will post out a syslog message indicating that "no translation group found".

Traffic flow is from inside to dmz not to outside, if not I would have put "global (outside) 1 interface".

The other option is to configure NAT exemption or static NAT so you don't require to configure the global command.

Value our effort and rate the assistance!
144
Views
0
Helpful
4
Replies
CreatePlease to create content