Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
0
Helpful
2
Replies

static nats and dmz access to the internet

ronshuster
Level 1
Level 1

‎07-15-2010 12:16 PM - edited ‎03-11-2019 11:12 AM

Using an ASA5500, I have the following allowing the outside to access servers on the dmz:

static (dmz,outside) 9.9.9.2 192.168.1.2 netmask 255.255.255.255
static (dmz,outside) 9.9.9.3 192.168.1.3 netmask 255.255.255.255
static (dmz,outside) 9.9.9.4 192.168.1.4 netmask 255.255.255.255

!

access-list incoming_outside extended permit tcp any host 9.9.9.2 eq www

access-list incoming_outside extended permit tcp any host 9.9.9.3 eq https

access-list incoming_outside extended permit tcp any host 9.9.9.4 eq www

!

access-group incoming_outside in interface outside

So the outside can access the public address on the respective ports, and that works ok.

However, we also want to allow DMZ servers to access the Internet, so we have the following:

nat (dmz) 2 192.168.1.0 255.255.255.0

global (outside) 2 9.9.9.100

But the question is, when dmz servers access the internet should they be pat'ed to their static translation IP address or to global 2?

For example, if 192.168.1.2 is to access the internet, should it be pat'ed to 9.9.9.2 or 9.9.9.100

I think the issue we are facing is that it goes out as one public IP and comes back as another public IP which could be the reason dmz cannot get to the internet.

Labels:
0 Helpful
2 Replies 2

Kevin Redmon
Cisco Employee
Cisco Employee

‎07-15-2010 01:32 PM

Ron,

The order-of-operations of NAT is as below:

1.) nat 0 access-list (nat-exempt)

2.) existing translations

3.) match static commands (first match)

- static NAT with and without access-list

- static PAT with and without access-list

4.) Match NAT commands

- nat access-list (first match)

- nat

(best match)

With that being said, if a DMZ host 192.168.1.2 does NOT belong to the nat-exempt access-list rule or have an existing translation, it will go out as the 9.9.9.2.

Any syslogs that you can provide (at the debug level) with the error that you are getting are greatly appreciated.

Best Regards,

Kevin

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-15-2010 01:48 PM

Hello,

Are you able to access your servers from internet? If that is working, then there should not be any issues from the NAT side. I am thinking the issue is with your DNS settings. Are you using DNS server on the inside interface for address resolution? If yes, do you have rules to allow that communication? Can you try to configure 4.2.2.2 as your DNS server and see if you can browse internet? Also, if you have any access-list on the DMZ interface, make sure that internet traffic is allowed.

Note: When you go to internet from DMZ servers, they will take their static translationa addresses. If you do not have a static translation, then they will go with dynamic pool.

Hope this helps.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card