cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1330
Views
0
Helpful
8
Replies

NAT and Global Statement on outside inetrface on CISCO ASA

Venkatesha Bhat
Level 1
Level 1

Hello,

I have situation wher all the traffic to the DMZ is PATd and now works as long as users are on Inside lan. Now we want have users connectiong to RA VPN  which Terminates on the Same firewall outside interface access the DMZ.

At present we have

NAT(Inside) 100 1.1.1.1

Global (DMZ1) 100  10.10.10.10  and this works fine.

now we want users on RA VPN IP range 11.11.11.1x  connect to DMZ Hosts.

At present we have Global (Outside) 1 2.2.2.2

what is the best way to allow access 11.11.11.1x range to DMZ1 with all these traffic PATd to 10,10.10.10.

will NAT (Outside) 100 11.11.11.1x work? 

We are running IOS 7.2.3 on CIsoc ASA

Thanks and regards,

Venky

8 Replies 8

Hi,

The DMZ is 10.10.10.x

To allow RA VPN clients to connect to the DMZ network you can do the following:

access-list nonat_DMZ permit ip 10.10.10.0 255.255.255.0 11.11.11.0 255.255.255.0

nat (DMZ) 0 access-list nonat_DMZ

In this way, traffic from the VPN clients (11.11.11.x) can access the DMZ (10.10.10.x) without NAT.

And you forget about the nat (outside)...

Note:

You should include the DMZ network in the split-tunneling for the VPN clients (in case using split-tunneling)

Federico.

Hi Federico,

Thanks!  for the response.


But, if I do NAT 0, VPN Clients IP 11.11.11.x doesnot get PATd to 10.10.10.10.  I want to achive NAT for all the Traffic from RA VPN CLient to Global (DMZ1) 100 10.10.10.10

Regards,


Venky

Hello Venky,

What Federico suggested is correct in that it will allow DMZ traffic to VPN

clients. If you wish to NAT VPN clients also to 10.10.10.10, then do the

following in addition to what Federico suggested:

Nat (inside) 100 11.11.11.0 255.255.255.0

Since VPN traffic is treated as internal traffic, you apply the rule to

inside interface.

Hope this helps.

Regards,

NT

Hi,

I tried NAT on Inside Interface and did not help. We dont have nat-control enabled and dont think NAT 0 makes much differece on the DMZ interface. Also, the traffic is intiated from the VPN Client range and not from the DMZ.

Regards,

Venky

Hello,

Did you configure both of the below lines:

Nat (inside) 100 11.11.11.0 255.255.255.0

Nat (DMZ) 0 access-list "acl name"

The first line is needed if you want to use the DMZ interface IP when

communicating with the DMZ servers. Alternatively, you can use the VPN

client IP itself and not worry about the NAT. Please make sure that the DMZ

servers know how to reach 11.11.11.0 subnet (the default gateway should

point to the ASA or the current default gateway should have a route to

11.11.11.0 pointing to the ASA).

The second line is responsible for the return traffic from DMZ to the VPN

clients. Since (I am assuming) you are accessing the DMZ devices with their

own IP address, when the return traffic hits the ASA, we want the ASA to

bypass the outside interface NAT rules. The second line will ensure of that

part.

Hope this helps.

Regards,

NT

Hi Venky,

As mentioned in your original post, all that you will need is a "nat (outside) 100 11.11.11.x 255.255.255.0 outside". The outside keyword at the end is necessary for the NAT to work. You do not need to do NAT exemption. In fact if you have the "nat (dmz) 0 ACL" and the above command, it will cause a conflict and ttraffic will not pass.

Let me know how it goes.

Thanks and Regards,

Prapanch

Hi Prapanch,

I have tried this and when we do the NAT works and the traffic from Inside to Intenret fails for some reason.

Regards,

Venky.

Hi Venky,

I have seen the same bejavior before where enabling outside NAT breaks internet access for inside users. I will suggest you to upgrade your ASA to a more recent code as i see you are running 7.2(3) right now.. maybe to the latest release in 8.0 or 8.2 trail.. It might help us as there are many bug fixes in these releases as compared to the 7.2 trail..

Let me know if this helps!!

Thanks and Regards,

Prapanch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: