Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Transparent DMZ NAT?

 

Hello, 

I am trying to convert the pre-8.3 config to 9.2 and configuration on our old firewall makes no sense to me. Would someone explain what is going on here?

Basically the configuration is pretty basic. 1 outside interface and 2 DMZ interfaces. olddmz and newdmz

 


interface GigabitEthernet0/0
 description outside
 speed 1000
 duplex full
 nameif outside
 security-level 0
 ip address x.x.6.243 255.255.255.248 standby x.x.6.244
!
interface GigabitEthernet0/2
 description legacy prod
 speed 1000
 duplex full
 nameif olddmz
 security-level 50
 ip address x.x.9.65 255.255.255.240 standby x.x.9.66
!
interface GigabitEthernet1/1
 description new prod
 speed 1000
 duplex full
 nameif newdmz
 security-level 50
 ip address x.x.33.163 255.255.255.224 standby x.x.33.164

 

 

global (outside) 1 x.x.6.245 netmask 255.255.255.248
static (olddmz,outside) x.x.9.64 x.x.9.64 netmask 255.255.255.240
access-group OUTSIDE in interface outside
access-group OLDDMZ in interface olddmz
route outside 0.0.0.0 0.0.0.0 x.x.6.241 1

 

There is no other NAT related entries anywhere and devices on the DMZ interfaces are routed transparently with their DMZ subnet IP addresses to the outside. I also do not see a single mention of newdmz being routed or NATed in any way..... How does that work?

 

How do i achieve this with a post-8.3 configuration? Either I am missing something fundamental, but I dot not see a way to NAT entire subnet to the outside. 

nat (olddmz,outside) static X.X.X.X


does not allow me to add the entire subnet. Do i need to manually specify each NAT object???

 

 

Thank you

 

 

 

  • Firewalling
2 REPLIES

Hi, global (outside) 1 x.x.6

Hi,

 

global (outside) 1 x.x.6.245 netmask 255.255.255.248

There should be another statement with NAT command for matching the global statement for the above


static (olddmz,outside) x.x.9.64 x.x.9.64 netmask 255.255.255.240

This is static nat which is actually a no-nat kind of configuration....

Please provide me the complete configuration and describe me what you wanted to do with that.... so that i can suggest something with your requirement.

 

HTH

 

Regards

Karthik

 

VIP Green

First off, do you only have

First off, do you only have public IPs on your olddmz and newdmz networks?  If so you do not need NAT on your firewall.  Previously in versions earlier than 8.2 you were required to use NAT to allow traffic throught ASA/PIX, that was removed completely in version 8.4.  So unless you have a private IP address space that should be NATed for internet access, NAT is not needed.

But to answer your question

How do i achieve this with a post-8.3 configuration? Either I am missing something fundamental, but I dot not see a way to NAT entire subnet to the outside. 

nat (olddmz,outside) static X.X.X.X

This configuration would translate to the following:

object network IP1
  subnet x.x.9.64 255.255.255.240

object network IP2
  subnet x.x.9.64 255.255.255.240
  nat (olddmz,outside) static IP1

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
24
Views
0
Helpful
2
Replies
This widget could not be displayed.