Cisco ASA Dynamic NAT with DMZ

This topic is to discuss the following lesson:

Hi Rene,

Do we need to nat from inside to dmz ?

Thanks

 

 

Hi Sims,

Below is part of the config and yes it does require that the lan is natt’d to the DMZ_POOL.
You could also use no-natcontrol which exempts you from having to do nat across the asa’s interfaces.

object network INSIDE_TO_DMZ
subnet 192.168.1.0 255.255.255.0
nat (INSIDE,DMZ) dynamic DMZ_POOL

Hi Sims & Paul,

NAT control was used on ASA versions before 8.3. Basically it meant that when you wanted to go from a high security level to a lower one (for example LAN to DMZ) that it had to be NAT translated.

With ASA 8.3 and higher, NAT control is disabled and unavailable. You don’t have to configure NAT if you want to access the DMZ from your LAN.

Rene

Good to Know thanks Rene

There is no need to configure an access-list ?

No access-list is requires since we go from a high security level to a lower security level:

  • INSIDE > OUTSIDE
  • INSIDE > DMZ
  • DMZ > OUTSIDE

Only when you go from a low security level to a higher one, you’ll need an access-list:

  • OUTSIDE > INSIDE
  • OUTSIDE > DMZ
  • DMZ > INSIDE

Rene

Hi. I have a question. In the case of newer ASA version, ifname does not work per interface. In order to name interface, i have to create a VLAN and assign it to the interface. Also, NAT was depreciated in newer versions of ASA 9.1 Can you please give some lesson in it.

Thank you.

Hi Andriy,

Which model are you using?

ASA# show version 

Cisco Adaptive Security Appliance Software Version 9.5(1)201
ASA# show run interface GigabitEthernet 0/0
!
interface GigabitEthernet0/0
 description to R1
 duplex full
 nameif OUTSIDE
 security-level 0
 ip address 10.0.0.5 255.255.255.252 

It’s still the same here. Same for the NAT commands.

Rene

Hi Rene

As far as I know, by default, ASA will block all traffics from lower into higher area.
In this example, I can’t ping from R1 to 192.168.2.2 and 192.168.3.3 but I can telnet to them.
Why is it?

If we dont create the access-list something like below:

access-list inside-in extended permit ip any any
access-list outside-in extended permit ip any any
access-list dmz-in extended permit ip any any

access-group inside-in in interface INSIDE
access-group outside-in in interface OUTSIDE
access-group dmz-in in interface DMZ

I cant ping to them!

Thank you!

Hi Rene,

How long a NAT router keep track of the Translated database if the session turned off from host end?? suppose inside ip 192.168.1.1 has translated to ip 192.168.2.166.

ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from INSIDE:192.168.1.1 to OUTSIDE:192.168.2.166 flags i idle 0:00:33 timeout 3:00:00

br/zaman

Hi Mohammad,

The timeout in your output is 3 hours. This timer will begin when the last connection has been removed. You can see the current connections with the show conn command. It can take a long time before idle TCP connections get cleaned up so it’s possible to configure the ASA to kill these after awhile.

Rene

Hi net2@net.com,

That’s right, the ASA will block traffic from a lower to a higher security level.

It also blocks ICMP traffic by default :slight_smile: If you want to permit it, you’ll need to add an inspect rule:

ASA(config)# policy-map global_policy
ASA(config-pmap)#  class inspection_default
ASA(config-pmap-c)# inspect icmp

Rene

Hi Rene

I have the situation quite like your example.
In your example, DMZ zone was assigned public IP, We can access from R1 to R3 (via NAT INSIDE_TO_DMZ) and R2 (via INSIDE_TO_OUTSIDE).
If DMZ zone was assigned private IP address, DMZ want to public (need public ip range from outside interface), we use static nat or port forwarding to point to real server by private IP and some access-list on ASA1 then OUTSIDE can access DMZ.
But How can INSIDE access to DMZ via public IP?

Thanks

Hi Dinh,

If you want to access your DMZ server from the inside with its public IP address, then you’ll have to configure NAT. This is something I wouldn’t recommend, though…you can use the private IP address to reach the DMZ server from the inside.

To give you an idea, here’s an example where I configure hairpinning for a server on the inside:

Rene

ASA1(config)# object network DMZ_POOL
ASA1(config-network-object)# range 192.168.3.100 192.168.3.100

==== is this supposed be 200 Please correct me if i am wrong

as the translated address is 192.168.3.146

Hi Asi,

That’s right, I just fixed this. Thanks for letting me know!

Rene

Hi Rene,

Bit confused from the show x-late command output.

Dynamic NAT
NAT(inside,outside)
ASA1# show xlate
NAT from INSIDE:192.168.1.1 to OUTSIDE:192.168.2.166 flags i idle 0:00:33 timeout 3:00:0

With the above configuration, i can understand that the traffic is initiated on INSIDE interface that’s why it’s showing in the show-xlate output:

NAT FROM INSIDE : 192.168.1.1 to OUTSIDE 192.168.2.166

And now looking at port-forwarding:

NAT(DMZ,OUTSIDE)

show  xlate 
2 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from DMZ:192.168.3.1 80-80 to OUTSIDE:192.168.2.254 80-80
    flags sr idle 0:02:20 timeout 0:00:00

TCP PAT from DMZ:192.168.3.3 22-22 to OUTSIDE:192.168.2.254 10022-10022

The connection is initiated from outside trying to access the internal service on a server but still in Xlate shows:

TCP PAT from DMZ:192.168.3.1 80-80 to OUTSIDE:192.168.2.254 80-80

Is this hard coded - whether or not the connection is initiated from outside will it always shows the same in port forwarding?
Please explain the inverse variation in the values between these two.

Hi Asi,

I understand that this might be confusing. It’s best to let the idea of “traffic is initiated” go :slight_smile: The way you should read this is that all traffic from source IP 192.168.3.1 using source TCP 80 has to be translated to source IP 192.168.2.254 with source TCP 80.

It doesn’t matter if the traffic was originated from outside > inside or inside > outside. If it matches this IP/port then we translate, that’s it.

Rene

Accidentally, I have to implement a DMZ configuration on an outdated and unmaintained ASA 5510 firewall (ASA version 8.0(3)6, ASDM version 6.0). After diving into the manual and some forum posts, I’ve learned that there was a major CLI syntax change with a the 8.3 firmware.

Unfortunately, I have to implement the following config on this old CLI version, where I have three interfaces:

inside 192.168.10.1 255.255.255.0
outside 1.2.3.4 255.255.255.0 (example…)
DMZ 172.28.0.1 255.255.255.0

The DMZ has one host, a web server at 172.28.0.15

I have three objectives to implement:
- to allow all outside IP addresses to access the web server at 172.28.0.15
- to translate all traffic from the outside interface 1.2.3.4 to the web server at 172.28.0.15 (at least port 80 and 443)
- to allow all inside IP addresses from the 192.168.10.0 network to access the web server at 172.28.0.15

Could you support with the appropriate 8.0 CLI syntax?

Any help would be very much appreciated…