07-15-2010 12:16 PM - edited 03-11-2019 11:12 AM
Using an ASA5500, I have the following allowing the outside to access servers on the dmz:
static (dmz,outside) 9.9.9.2 192.168.1.2 netmask 255.255.255.255
static (dmz,outside) 9.9.9.3 192.168.1.3 netmask 255.255.255.255
static (dmz,outside) 9.9.9.4 192.168.1.4 netmask 255.255.255.255
!
access-list incoming_outside extended permit tcp any host 9.9.9.2 eq www
access-list incoming_outside extended permit tcp any host 9.9.9.3 eq https
access-list incoming_outside extended permit tcp any host 9.9.9.4 eq www
!
access-group incoming_outside in interface outside
So the outside can access the public address on the respective ports, and that works ok.
However, we also want to allow DMZ servers to access the Internet, so we have the following:
nat (dmz) 2 192.168.1.0 255.255.255.0
global (outside) 2 9.9.9.100
But the question is, when dmz servers access the internet should they be pat'ed to their static translation IP address or to global 2?
For example, if 192.168.1.2 is to access the internet, should it be pat'ed to 9.9.9.2 or 9.9.9.100
I think the issue we are facing is that it goes out as one public IP and comes back as another public IP which could be the reason dmz cannot get to the internet.
07-15-2010 01:32 PM
Ron,
The order-of-operations of NAT is as below:
1.) nat 0 access-list (nat-exempt)
2.) existing translations
3.) match static commands (first match)
- static NAT with and without access-list
- static PAT with and without access-list
4.) Match NAT commands
- nat
- nat
With that being said, if a DMZ host 192.168.1.2 does NOT belong to the nat-exempt access-list rule or have an existing translation, it will go out as the 9.9.9.2.
Any syslogs that you can provide (at the debug level) with the error that you are getting are greatly appreciated.
Best Regards,
Kevin
07-15-2010 01:48 PM
Hello,
Are you able to access your servers from internet? If that is working, then there should not be any issues from the NAT side. I am thinking the issue is with your DNS settings. Are you using DNS server on the inside interface for address resolution? If yes, do you have rules to allow that communication? Can you try to configure 4.2.2.2 as your DNS server and see if you can browse internet? Also, if you have any access-list on the DMZ interface, make sure that internet traffic is allowed.
Note: When you go to internet from DMZ servers, they will take their static translationa addresses. If you do not have a static translation, then they will go with dynamic pool.
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide