Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Static NAT dmz to inside

Hi,

I have a ASA with Inside (10.1.1.1/24) & DMZ (10.2.2.1/24) Interfaces.

I need to access one of server in DMZ (10.2.2.10) from Inside using NAT.

I have following NAT command entered

static (dmz,inside)10.1.1.10 10.2.2.10

is this syntax correct. If yes, how it is different from following command

static (inside,dmz) 10.2.2.10 10.1.1.10

Everyone's tags (2)
7 REPLIES

Static NAT dmz to inside

Hi Shivaji,

There is wrong in any of the two commands. Depends what are you trying to do :

static (real_interface,nated_interface) translation_ip translated_ip

In the first case :

static (dmz,inside)10.1.1.10 10.2.2.10

The host that will be translated is in DMZ and has the IP 10.2.2.10, It will be transted in the INSIDE as 10.1.1.10

The second case :

static (inside,dmz) 10.2.2.10 10.1.1.10

The host that will be translated is in INSIDE and has the ip 10.1.1.10, it will be translated in the DMZ as 10.2.2.10

Dan

New Member

Static NAT dmz to inside

Hi Dan ,

Thanks,

Is there any restriction, like real_interface should be of higher security level as that of nated_interface

Static NAT dmz to inside

Hi ,

My pleasure.

There is no restriction regarding the real_interface.

But depending on your software version there is a requirement. In some versions is called NAT-CONTROL.

NAT-CONTROL - requires that the traffic from a higher security level to a lower security level , should be source nated in order to be permited - also from a lower to higher the traffic should have the destination translated. Historicaly speaking on PIX , this requirement could not be disabled and you had to do identity nat. Nat-control appeared on the software version 7.x , and currently dissapeard so if you are using a 8.4 software version nat-control it is not present.

Dan

New Member

Re: Static NAT dmz to inside

Hello,

static (dmz,inside)10.1.1.10 10.2.2.10

when packet with destination IP 10.1.1.10 reaches inside interface of ASA it

is redirected to 10.2.2.10 on DMZ.

static (inside,dmz) 10.2.2.10 10.1.1.10

When packet with destination IP 10.2.2.10 hits DMZ it is redirected to

10.1.1.10 on inside

Thanks & Regards

Mohammed Imran

Static NAT dmz to inside

Hi Mohammed,

My understanding on static NAT is that is bidirectional , so it does not matter where the packet was received.

Are you telling that this is not the case ?

Dan

New Member

Static NAT dmz to inside

Dan,

Its kind of the case. Basically one method translates (presents) the source IP and the other the destination IP.

jon.marshall explans it here:

https://supportforums.cisco.com/thread/239441

ryan

Re: Static NAT dmz to inside

Hi Ryan ,

Thank you for the link.

My post was directed to the fact that the static nat does not change only the DESTINATION.

As you can see in my last post , the static nat is bidirectional. This means that taking for example

static (dmz,inside)10.1.1.10 10.2.2.10

- if the traffic has been initiated from DMZ its changes the SOURCE.

- if the traffic has been initiated from INSIDE its changes the DESTINATION.

So the static NAT translates both source OR destination , depending on where the packet was initiated.

Dan

4076
Views
0
Helpful
7
Replies
CreatePlease to create content