This topic is to discuss the following lesson:
Do we need to nat from inside to dmz ?
Below is part of the config and yes it does require that the lan is natt’d to the DMZ_POOL.
You could also use no-natcontrol which exempts you from having to do nat across the asa’s interfaces.
object network INSIDE_TO_DMZ subnet 192.168.1.0 255.255.255.0 nat (INSIDE,DMZ) dynamic DMZ_POOL
Hi Sims & Paul,
NAT control was used on ASA versions before 8.3. Basically it meant that when you wanted to go from a high security level to a lower one (for example LAN to DMZ) that it had to be NAT translated.
With ASA 8.3 and higher, NAT control is disabled and unavailable. You don’t have to configure NAT if you want to access the DMZ from your LAN.
Good to Know thanks Rene
There is no need to configure an access-list ?
No access-list is requires since we go from a high security level to a lower security level:
- INSIDE > OUTSIDE
- INSIDE > DMZ
- DMZ > OUTSIDE
Only when you go from a low security level to a higher one, you’ll need an access-list:
- OUTSIDE > INSIDE
- OUTSIDE > DMZ
- DMZ > INSIDE
Hi. I have a question. In the case of newer ASA version, ifname does not work per interface. In order to name interface, i have to create a VLAN and assign it to the interface. Also, NAT was depreciated in newer versions of ASA 9.1 Can you please give some lesson in it.
Which model are you using?
ASA# show version Cisco Adaptive Security Appliance Software Version 9.5(1)201
ASA# show run interface GigabitEthernet 0/0 ! interface GigabitEthernet0/0 description to R1 duplex full nameif OUTSIDE security-level 0 ip address 10.0.0.5 255.255.255.252
It’s still the same here. Same for the NAT commands.
As far as I know, by default, ASA will block all traffics from lower into higher area.
In this example, I can’t ping from R1 to 192.168.2.2 and 192.168.3.3 but I can telnet to them.
Why is it?
If we dont create the access-list something like below:
access-list inside-in extended permit ip any any access-list outside-in extended permit ip any any access-list dmz-in extended permit ip any any access-group inside-in in interface INSIDE access-group outside-in in interface OUTSIDE access-group dmz-in in interface DMZ
I cant ping to them!
How long a NAT router keep track of the Translated database if the session turned off from host end?? suppose inside ip 192.168.1.1 has translated to ip 192.168.2.166.
ASA1# show xlate 1 in use, 1 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net NAT from INSIDE:192.168.1.1 to OUTSIDE:192.168.2.166 flags i idle 0:00:33 timeout 3:00:00
The timeout in your output is 3 hours. This timer will begin when the last connection has been removed. You can see the current connections with the show conn command. It can take a long time before idle TCP connections get cleaned up so it’s possible to configure the ASA to kill these after awhile.
That’s right, the ASA will block traffic from a lower to a higher security level.
It also blocks ICMP traffic by default If you want to permit it, you’ll need to add an inspect rule:
ASA(config)# policy-map global_policy ASA(config-pmap)# class inspection_default ASA(config-pmap-c)# inspect icmp
I have the situation quite like your example.
In your example, DMZ zone was assigned public IP, We can access from R1 to R3 (via NAT INSIDE_TO_DMZ) and R2 (via INSIDE_TO_OUTSIDE).
If DMZ zone was assigned private IP address, DMZ want to public (need public ip range from outside interface), we use static nat or port forwarding to point to real server by private IP and some access-list on ASA1 then OUTSIDE can access DMZ.
But How can INSIDE access to DMZ via public IP?
If you want to access your DMZ server from the inside with its public IP address, then you’ll have to configure NAT. This is something I wouldn’t recommend, though…you can use the private IP address to reach the DMZ server from the inside.
To give you an idea, here’s an example where I configure hairpinning for a server on the inside:
ASA1(config)# object network DMZ_POOL ASA1(config-network-object)# range 192.168.3.100 192.168.3.100
==== is this supposed be 200 Please correct me if i am wrong
as the translated address is 192.168.3.146
That’s right, I just fixed this. Thanks for letting me know!
Bit confused from the show x-late command output.
Dynamic NAT NAT(inside,outside)
ASA1# show xlate NAT from INSIDE:192.168.1.1 to OUTSIDE:192.168.2.166 flags i idle 0:00:33 timeout 3:00:0
With the above configuration, i can understand that the traffic is initiated on INSIDE interface that’s why it’s showing in the show-xlate output:
NAT FROM INSIDE : 192.168.1.1 to OUTSIDE 192.168.2.166
And now looking at port-forwarding:
show xlate 2 in use, 3 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net TCP PAT from DMZ:192.168.3.1 80-80 to OUTSIDE:192.168.2.254 80-80 flags sr idle 0:02:20 timeout 0:00:00 TCP PAT from DMZ:192.168.3.3 22-22 to OUTSIDE:192.168.2.254 10022-10022
The connection is initiated from outside trying to access the internal service on a server but still in Xlate shows:
TCP PAT from DMZ:192.168.3.1 80-80 to OUTSIDE:192.168.2.254 80-80
Is this hard coded - whether or not the connection is initiated from outside will it always shows the same in port forwarding?
Please explain the inverse variation in the values between these two.
I understand that this might be confusing. It’s best to let the idea of “traffic is initiated” go The way you should read this is that all traffic from source IP 192.168.3.1 using source TCP 80 has to be translated to source IP 192.168.2.254 with source TCP 80.
It doesn’t matter if the traffic was originated from outside > inside or inside > outside. If it matches this IP/port then we translate, that’s it.
Accidentally, I have to implement a DMZ configuration on an outdated and unmaintained ASA 5510 firewall (ASA version 8.0(3)6, ASDM version 6.0). After diving into the manual and some forum posts, I’ve learned that there was a major CLI syntax change with a the 8.3 firmware.
Unfortunately, I have to implement the following config on this old CLI version, where I have three interfaces:
inside 192.168.10.1 255.255.255.0
outside 184.108.40.206 255.255.255.0 (example…)
DMZ 172.28.0.1 255.255.255.0
The DMZ has one host, a web server at 172.28.0.15
I have three objectives to implement:
- to allow all outside IP addresses to access the web server at 172.28.0.15
- to translate all traffic from the outside interface 220.127.116.11 to the web server at 172.28.0.15 (at least port 80 and 443)
- to allow all inside IP addresses from the 192.168.10.0 network to access the web server at 172.28.0.15
Could you support with the appropriate 8.0 CLI syntax?
Any help would be very much appreciated…