Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
254
Views
0
Helpful
2
Replies

Use same PAT pool on different Interfaces

maher
Level 1
Level 1

‎11-12-2005 08:53 AM - edited ‎03-09-2019 01:01 PM

Hi,

I have an ASA 5500 running IOS 7.0. I am using three interfaces INSIDE, OUTSIDE and DMZ. INSIDE users (10.10.10.x) ger PAT'd to 12.12.12.12 address when going from the INSIDE to the OUTSIDE.

Can I use the same address (12.12.12.12) to PAT the INISDE users when going to the DMZ?

Thank you,

Maher

Labels:
0 Helpful
2 Replies 2

jackko
Level 7
Level 7

‎11-12-2005 03:48 PM

it's a little bit unusual but i don't see why it wouldn't work.

i said a little bit unusual because the 12.12.12.12 is usually a public ip, however, traffic between inside and dmz is sort of private, thus no public ip is needed.

just wondering what exactly you are trying to achieve here.

0 Helpful

maher
Level 1
Level 1
In response to jackko

‎11-12-2005 04:11 PM

Thanks for your answer.

Here is the setup:

The INSIDE network uses 10.10.10.x and get PAT’d to a public address when going to the Internet through the OUTSIDE Interface.

The DMZ Network uses another private network 10.10.20.x and get PAT’d to the same public IP address when accessing the Internet through the OUTSIDE Interface (the 12.12.12.12)

There is no NAT/PAT setup at the moment when the Inside access the DMZ or vice versa.

Here is the Dilemma:

With the current setup, we are having a problem getting from the INSIDE network to applications on our web server in the DMZ that use an Outside PIN authentication service (Outside means on the the Internet).

The way that PIN works is that a client from the INSIDE Network goes to the web app, and then gets redirected to the OUTSIDE PIN server for authentication. Once authenticated, they are redirected back to the web app with a ticket that includes the authenticated IP address. Our web server compares the authenticated IP address with that of the orginal ip address of client, and denies access if they don't match. The problem is that the ticket contains that outside PAT’d address of the client (12.12.12.12), but the web server is seeing the inside address of the client (10.10.10.x)

I thought if I PAT the inside Network when accessing the DMZ to the same 12.12.12.12 address I would be able to over come the problem since the webserver and the PIN authentication server will see the Inisde client as 12.12.12.12. Is there a better way of doing it?

Thanks again,

Maher

0 Helpful
Customers Also Viewed These Support Documents