Cisco ASA Dynamic NAT with DMZ

Hi Asi,

That’s right, I just fixed this. Thanks for letting me know!

Rene

Hi Rene,

Bit confused from the show x-late command output.

Dynamic NAT
NAT(inside,outside)
ASA1# show xlate
NAT from INSIDE:192.168.1.1 to OUTSIDE:192.168.2.166 flags i idle 0:00:33 timeout 3:00:0

With the above configuration, i can understand that the traffic is initiated on INSIDE interface that’s why it’s showing in the show-xlate output:

NAT FROM INSIDE : 192.168.1.1 to OUTSIDE 192.168.2.166

And now looking at port-forwarding:

NAT(DMZ,OUTSIDE)

show  xlate 
2 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from DMZ:192.168.3.1 80-80 to OUTSIDE:192.168.2.254 80-80
    flags sr idle 0:02:20 timeout 0:00:00

TCP PAT from DMZ:192.168.3.3 22-22 to OUTSIDE:192.168.2.254 10022-10022

The connection is initiated from outside trying to access the internal service on a server but still in Xlate shows:

TCP PAT from DMZ:192.168.3.1 80-80 to OUTSIDE:192.168.2.254 80-80

Is this hard coded - whether or not the connection is initiated from outside will it always shows the same in port forwarding?
Please explain the inverse variation in the values between these two.

Hi Asi,

I understand that this might be confusing. It’s best to let the idea of “traffic is initiated” go :slight_smile: The way you should read this is that all traffic from source IP 192.168.3.1 using source TCP 80 has to be translated to source IP 192.168.2.254 with source TCP 80.

It doesn’t matter if the traffic was originated from outside > inside or inside > outside. If it matches this IP/port then we translate, that’s it.

Rene

Accidentally, I have to implement a DMZ configuration on an outdated and unmaintained ASA 5510 firewall (ASA version 8.0(3)6, ASDM version 6.0). After diving into the manual and some forum posts, I’ve learned that there was a major CLI syntax change with a the 8.3 firmware.

Unfortunately, I have to implement the following config on this old CLI version, where I have three interfaces:

inside 192.168.10.1 255.255.255.0
outside 1.2.3.4 255.255.255.0 (example…)
DMZ 172.28.0.1 255.255.255.0

The DMZ has one host, a web server at 172.28.0.15

I have three objectives to implement:
- to allow all outside IP addresses to access the web server at 172.28.0.15
- to translate all traffic from the outside interface 1.2.3.4 to the web server at 172.28.0.15 (at least port 80 and 443)
- to allow all inside IP addresses from the 192.168.10.0 network to access the web server at 172.28.0.15

Could you support with the appropriate 8.0 CLI syntax?

Any help would be very much appreciated…

config t
interface gi0/0
ip address 1.2.3.4 255.255.255.0

nameif outside
interface gi0/1
ip address 192.168.10.1 255.255.255.0
nameif inside

interface gi0/3
ip address 172.28.0.2 255.255.255.0
nameif dmz
security level 50 

 object network LAN
subnet 192.168.10.0 255.255.255.0

object network DMZ
host 172.28.0.15

object_group service Dmz_ports
service-object destiantion TCP eq 80
service-object destination TCP eq 443

object network DMZ
NAT(outside,dmz) static 1.2.3.4 service tcp 80 80 
 
network object DMZ
NAT(outside,dmz) static 1.2.3.4 service tcp 443 443

access_list out_acz_in permit object Dmz_ports any object DMZ  
access-group out_acz_in in interface outside

Note:-Traffic from LAN to DMZ is allowed (high-to-low) but only for the inspected protocols like Telnet,http…,

So http 80 is inspected -Not to worry about.Traffic with SP:80 from LAN-to-DMZ will flow by default.

for any other traffic use the below acess-list as appropriate

//ALLOW access all ports from DMZ to INSIDE

access-list dmz_acz permit ip object dmz object inside 
access-group dmz_acz in interface inside


//Allow  access only port 443 from DMZ to INSIDE 

access-list dmz_acz permit tcp object dmz object inside eq 443
access-group dmz_acz in interface inside

please let me know on results

Hlw Rene,

I am little bit confused about the two command when using NAT:

nat(inside, outside)

nat(outside,inside)

Appreciate your nice clarification as always :slight_smile:

br/
zaman

Hi Zaman,

Here’s how it works:

ASA1(config)# object network SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static 192.168.2.200

This basically does two things:

  • When a packet enters the INSIDE and exits the OUTSIDE, and the source IP address is 192.168.1.1 then we translate the source address to 192.168.2.200.
  • When a packet enters the OUTSIDE and exits the INSIDE, and the destination IP address is 192.168.2.200 then we translate the destination address to 192.168.1.1.

We use this so a server on the INSIDE is reachable from the OUTSIDE. We also use NAT (INSIDE,OUTSIDE) so that multiple hosts can access the Internet through a single public IP address.

Now let’s look at another example:

ASA1(config)# object network DNS_SERVER
ASA1(config-network-object)# host 8.8.8.8
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static 192.168.1.8

Here’s what it means:

  • When a packet enters the OUTSIDE and exits the INSIDE, and the source IP address is 8.8.8.8 then we translate the source address to 192.168.1.8.
  • When a packet enters the INSIDE and exits the OUTSIDE, and the destination IP address is 192.168.1.8 then we translate the destination address to 8.8.8.8.

This can be useful if you want hosts to be able to reach some external server using an internal IP address. When an internal host tries to reach 192.168.1.8, then it will be translated to 8.8.8.8 (Google DNS).

Hope this helps!

Rene

by default FW allow from Inside to DMZ, so that means I am from Inside network and I can RDP to my windows server in DMZ. it can be bad in some cases,
and if I want to block RDP from Inside to DMZ I will need to configure and access list?

Thank you

Hi Hoan,

That is correct, it is permitted because you go from a higher to a lower security level. If you want to block this, you have to use an access-list. I have an example here:

Look for the “deny traffic from inside” section.

Rene

Hi Rene
I have confgiure Dynamic NAT on ASA version 8.4(2), As i enable debug it show that NAT are working fine, but I can notping from INSIDE to OUTSIDE , As i debug traffic already reach destination with source IP as NAT and return back and it was drop on ASA. Could you help me about this? As It’s return traffic it should be allow.

Hello Heng,

Have you tried packet-tracer on the ASA? That should give you a reason why the ASA drops it.

Rene

Maybe slightly off topic. I have a need for a DMZ Server to initiate communications with a LAN (inside) server. How can i go about doing this?

Hello Richard

By default, communication from lower security level areas to higher security level areas on an ASA are blocked. The only way to get a server in the DMZ (lower security level) to communicate with a device in the LAN (higher security level) is to create the appropriate access lists to allow such a communication. The access lists should be configured to allow the appropriate parameters (ip addresses, protocols etc) and even more importantly, to make sure that all other undesired traffic is blocked.

Such a configuration is typical when you have a web server in the DMZ and the SQL database that it uses within the LAN. The web server will need to query the SQL server to display the appropriate content. IN such a case, an access list similar to the following can be employed in the ASA:

access-list DMZ_WEB line 1 extended permit tcp host 172.16.0.10 object inside-network eq sqlnet
access-list DMZ_WEB line 2 extended deny ip host 172.16.0.10 inside-network

where 172.16.0.10 is the web server and the inside-network object refers to the internal LAN network. Note that only sqlnet or SQL database traffic is allowed from the DMZ to the Internal network.

I hope this has been helpful!

Laz

Hello there,

I am kind of new in networking field.
I have configured ASA dynamic NAT with DMZ as per Unit 2.
for some reason I can’t telnet into R2 and R3, gives me error “connection refused by remote host”
if you can help me out please.
thanks

Hello Ankit

First of all, if R3 gives you the “connection refused by remote host” error, this means that your session has reached R3 successfully, however, R3 has been configured not to respond to telnet sessions. Have you tried ssh? It depends on what protocol you have enabled for the CLI communication with the device.

As for R2, from device are you attempting to connect to R2? Are you going through the ASA? It may be that the NAT is not functioning correctly or that some ACLs have not been configured correctly. Take a look at your config once again and compare with the lesson. Let us know your findings so we can continue helping you with the troubleshooting…

I hope this has been helpful!

Laz

I have slightly confused myself … particularly as my ASA 5500 image in GN3 has issues … does one need a routing protocol running on the ASA or does defeat the object of using NAT?
Many Thanks
Frank

Hello Frank

You can choose to run a routing protocol on the ASA or you can choose to employ static routing, it makes no difference. ASA devices inherently contain routing functionality since they have interfaces on multiple subnets. Routing is required for any communication between these. This does not affect NAT as NAT’s purpose is somewhat different. You just have to keep the order of operations clear in your mind whenever configuring combinations of NAT and routing, such that you know what is applied first, NAT or routing, and in which direction. The following document clarifies the order of operations.

I hope this has been helpful!

Laz

Thanx Laz
I have been out of the cisco world for some time… If ip routing is enabled on the ASA but no static routes or protocol and attached routers set up with default routes should it still work?

Hello Frank

If routing is enabled and you configure no static routes or routing protocols, by default, the only routing that will take place will be routing between the subnets that are configured on each interface. This routing is of course subject to the “allowed” directions of packet flows depending on the security levels defined on each interface. So to answer your question specifically, yes it should work.

I hope this has been helpful!

Laz

Thanx again Laz!
I will try this again tomorrow on Devnet rather than GNS3.
Kind Regards
Frank

1 Like