There's a mobile version of our website.
I have the following in place
internal network IP: 184.108.40.206
Natted to DMZ IP of 220.127.116.11
I require thart the internal machine is able to access the internet however this is not happening and when checking the traffic logs I can see that it is down to the NAT rule however I require this NAT rule in place as this allows authentication servers to commmuncate with server in the internal network.
My question is how can I get the internal IP to browse the internet without removing the NAT rule?
If you are using ASA pre 8.3 version, then add another global (outside) statement:
global (outside) 1 interface
If you are using post 8.3 version, then:
object network 18.104.22.168_internal
subnet 22.214.171.124 255.255.255.0
nat (inside,outside) dynamic interface
Hoep that helps.
Thank you very much for your reply I am using 8.2 (5)
match ip internal host 126.96.36.199 DMZData any
static translation to 188.8.131.52
I didnt quite understand your second reply? I am qutie a newbie so I do apologise, if the above can be done through asdm would be easier
Please follow the below example, my internal network is "10.10.10.0/24", as per setup below my internal network will have access to internet and if you want to allow any other network all you have to do is to add other network address on the next entry on the "allownatout" ACL.
global (outside) 1 interface
nat (inside) 1 access-list allownatout
access-list allownatout extended permit ip 10.10.10.0 255.255.255.0 any
"internal network IP: 184.108.40.206 Natted to DMZ IP of 220.127.116.11"
the above two IP of yours are public IPs, they are not internal private IP.
They are indeed but didnt want to share internal range however I will as following
DMZ interfact points to a fortigate firewall which is my external firewall
Therefore all traffic from the cisco pix on DMZ interfact is indeed outside traffic, I have set my external fireall to accept all for now
I have created ACL to allow any to any IP on the internal network
However one of my servers has a nat rule in place that allows visibility to the DMZ network. Because of this nat rule it cannot browse the internet however it needs it for updates.
It is a static net rule
match ip il2AHdata host 10.0.0.10 192.168.9.1 any
static translation to 192.168.9.9
When I remove this nat rule the server can access internet as normal.
These are the current traffic logs
|May 01 2012|14:06:13|302013|macserver01|52896|18.104.22.168|80|Built outbound TCP connection 256882 for dmzAHdata:22.214.171.124/80 (126.96.36.199/80) to il2AHdata:macserver01/52896 (192.168.9.9/52896)
6|May 01 2012|14:06:05|302013|macserver01|52865|188.8.131.52|80|Built outbound TCP connection 256879 for dmzAHdata:184.108.40.206/80 (220.127.116.11/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)
6|May 01 2012|14:05:33|302013|macserver01|52865|18.104.22.168|80|Built outbound TCP connection 256853 for dmzAHdata:22.214.171.124/80 (126.96.36.199/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)
6|May 01 2012|14:04:58|302013|macserver01|52865|188.8.131.52|80|Built outbound TCP connection 256821 for dmzAHdata:184.108.40.206/80 (220.127.116.11/80) to il2AHdata:macserver01/52865 (192.168.9.9/52865)
6|May 01 2012|14:04:50|302013|macserver01|52847|18.104.22.168|80|Built outbound TCP connection 256820 for dmzAHdata:22.214.171.124/80 (126.96.36.199/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)
6|May 01 2012|14:04:18|302013|macserver01|52847|188.8.131.52|80|Built outbound TCP connection 256689 for dmzAHdata:184.108.40.206/80 (220.127.116.11/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)
6|May 01 2012|14:03:43|302013|macserver01|52847|18.104.22.168|80|Built outbound TCP connection 256669 for dmzAHdata:22.214.171.124/80 (126.96.36.199/80) to il2AHdata:macserver01/52847 (192.168.9.9/52847)
You can see from the traffic logs that traffic is coming dow to the NAtted IP and not the real IP and thus no internet.
Am I missing anything?
"DMZ interfact points to a fortigate firewall which is my external firewall"
"Therefore all traffic from the cisco pix on DMZ interfact is indeed outside traffic, I have set my external fireall to accept all for now"
DMZ is perimeter network segment and it is still consider to be internal segment however your external firewall is connected DMZ interface of PIX and the DMZ perimeter segment has been treated like an outside to access to internet cloud.
It is very difficult to analyze and troubleshoot this network.
its as folllows
Cisco ASA || DMZ || External Firewall
Cisco has port connected to external firewall
Internal server whose gatway is the cisco is the only server that cannot access the internet because of the NAT rule in place.
When I remove the NAT rule it acccess internet fine
In the internetal IP port on cisco i have enabled any to any ip acl and same with dmz IP interface .
It seems like traffic is trying to go out on internet throug the NATed IP but there is no resposne as it does not know what to do with the natted Ip believe.
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion