config t
interface gi0/0
ip address 1.2.3.4 255.255.255.0
nameif outside
interface gi0/1
ip address 192.168.10.1 255.255.255.0
nameif inside
interface gi0/3
ip address 172.28.0.2 255.255.255.0
nameif dmz
security level 50
object network LAN
subnet 192.168.10.0 255.255.255.0
object network DMZ
host 172.28.0.15
object_group service Dmz_ports
service-object destiantion TCP eq 80
service-object destination TCP eq 443
object network DMZ
NAT(outside,dmz) static 1.2.3.4 service tcp 80 80
network object DMZ
NAT(outside,dmz) static 1.2.3.4 service tcp 443 443
access_list out_acz_in permit object Dmz_ports any object DMZ
access-group out_acz_in in interface outside
Note:-Traffic from LAN to DMZ is allowed (high-to-low) but only for the inspected protocols like Telnet,httpā¦,
So http 80 is inspected -Not to worry about.Traffic with SP:80 from LAN-to-DMZ will flow by default.
for any other traffic use the below acess-list as appropriate
//ALLOW access all ports from DMZ to INSIDE
access-list dmz_acz permit ip object dmz object inside
access-group dmz_acz in interface inside
//Allow access only port 443 from DMZ to INSIDE
access-list dmz_acz permit tcp object dmz object inside eq 443
access-group dmz_acz in interface inside
When a packet enters the INSIDE and exits the OUTSIDE, and the source IP address is 192.168.1.1 then we translate the source address to 192.168.2.200.
When a packet enters the OUTSIDE and exits the INSIDE, and the destination IP address is 192.168.2.200 then we translate the destination address to 192.168.1.1.
We use this so a server on the INSIDE is reachable from the OUTSIDE. We also use NAT (INSIDE,OUTSIDE) so that multiple hosts can access the Internet through a single public IP address.
When a packet enters the OUTSIDE and exits the INSIDE, and the source IP address is 8.8.8.8 then we translate the source address to 192.168.1.8.
When a packet enters the INSIDE and exits the OUTSIDE, and the destination IP address is 192.168.1.8 then we translate the destination address to 8.8.8.8.
This can be useful if you want hosts to be able to reach some external server using an internal IP address. When an internal host tries to reach 192.168.1.8, then it will be translated to 8.8.8.8 (Google DNS).
by default FW allow from Inside to DMZ, so that means I am from Inside network and I can RDP to my windows server in DMZ. it can be bad in some cases,
and if I want to block RDP from Inside to DMZ I will need to configure and access list?
That is correct, it is permitted because you go from a higher to a lower security level. If you want to block this, you have to use an access-list. I have an example here:
Hi Rene
I have confgiure Dynamic NAT on ASA version 8.4(2), As i enable debug it show that NAT are working fine, but I can notping from INSIDE to OUTSIDE , As i debug traffic already reach destination with source IP as NAT and return back and it was drop on ASA. Could you help me about this? As Itās return traffic it should be allow.
By default, communication from lower security level areas to higher security level areas on an ASA are blocked. The only way to get a server in the DMZ (lower security level) to communicate with a device in the LAN (higher security level) is to create the appropriate access lists to allow such a communication. The access lists should be configured to allow the appropriate parameters (ip addresses, protocols etc) and even more importantly, to make sure that all other undesired traffic is blocked.
Such a configuration is typical when you have a web server in the DMZ and the SQL database that it uses within the LAN. The web server will need to query the SQL server to display the appropriate content. IN such a case, an access list similar to the following can be employed in the ASA:
access-list DMZ_WEB line 1 extended permit tcp host 172.16.0.10 object inside-network eq sqlnet
access-list DMZ_WEB line 2 extended deny ip host 172.16.0.10 inside-network
where 172.16.0.10 is the web server and the inside-network object refers to the internal LAN network. Note that only sqlnet or SQL database traffic is allowed from the DMZ to the Internal network.
I am kind of new in networking field.
I have configured ASA dynamic NAT with DMZ as per Unit 2.
for some reason I canāt telnet into R2 and R3, gives me error āconnection refused by remote hostā
if you can help me out please.
thanks
First of all, if R3 gives you the āconnection refused by remote hostā error, this means that your session has reached R3 successfully, however, R3 has been configured not to respond to telnet sessions. Have you tried ssh? It depends on what protocol you have enabled for the CLI communication with the device.
As for R2, from device are you attempting to connect to R2? Are you going through the ASA? It may be that the NAT is not functioning correctly or that some ACLs have not been configured correctly. Take a look at your config once again and compare with the lesson. Let us know your findings so we can continue helping you with the troubleshootingā¦
I have slightly confused myself ā¦ particularly as my ASA 5500 image in GN3 has issues ā¦ does one need a routing protocol running on the ASA or does defeat the object of using NAT?
Many Thanks
Frank
You can choose to run a routing protocol on the ASA or you can choose to employ static routing, it makes no difference. ASA devices inherently contain routing functionality since they have interfaces on multiple subnets. Routing is required for any communication between these. This does not affect NAT as NATās purpose is somewhat different. You just have to keep the order of operations clear in your mind whenever configuring combinations of NAT and routing, such that you know what is applied first, NAT or routing, and in which direction. The following document clarifies the order of operations.
Thanx Laz
I have been out of the cisco world for some timeā¦ If ip routing is enabled on the ASA but no static routes or protocol and attached routers set up with default routes should it still work?
If routing is enabled and you configure no static routes or routing protocols, by default, the only routing that will take place will be routing between the subnets that are configured on each interface. This routing is of course subject to the āallowedā directions of packet flows depending on the security levels defined on each interface. So to answer your question specifically, yes it should work.
Hey everyone I have a 5510 ASA and Iām trying to figure out setting up dynamic NAT with a range or pool of IPs. Iām having trouble with this task as the outside interface is setup with the first available ip out of my 5 static IPS I have. I then want to use a range of IPs to perform dynamic NAT round robin for my DMZ to outside and my inside int to the outside. Is there a better way to set this up and prevent from getting the error of the ips overlap ??
If you look at this lesson, you can see how dynamic NAT is being applied. The IP address of the outside or DMZ interface is not found within the defined ranges of available addresses which NAT uses. Notice in the lesson that for both INSIDE_TO_OUTSIDE and DMZ_TO_OUTSIDE objects, the PUBLIC_POOL is being used. This means that both translations take into account addresses used by the other, and will not duplicate their use.
If for your scenario, four addresses (5 minus the one used for the outside interface) are not enough, then you should consider using PAT as shown in the following lesson.
Good evening Everyone,
I have read the lesson about Cisco ASA Dynamic NAT with DMZ, and will try it on the equipment this Thursday.
Do you Guys know how to do it in ASDM with ASA 5505? I have basic license for ASA.
I found some information in Internet - How to Set up a Cisco ASA DMZ: Cisco ASA Training 101 but it didnāt work for me.
I would like to try it with real equipment, and into GNS3 if possible.
Thank you, and Best Regards,
I suggest you first get the lab done using the CLI as described in the lesson. This way you will gain a better understanding of all of the intricacies and interactions of the config. Once you do that, you can then attempt to reproduce the same lab using ASDM. At this point you will more intuitively be able to implement this because you will have already gone through the steps and procedures necessary to achieve it. So you may find that youāll be able to achieve it using ASDM without specific step by step guidance. I donāt know of a how to guide that will allow you to configure this specific lab using ASDN, but it may be helpful to take a look at these examples of NAT implementation on ASA series firewalls using ASDN.
