Cisco ASA Dynamic NAT with DMZ

config t
interface gi0/0
ip address 1.2.3.4 255.255.255.0

nameif outside
interface gi0/1
ip address 192.168.10.1 255.255.255.0
nameif inside

interface gi0/3
ip address 172.28.0.2 255.255.255.0
nameif dmz
security level 50 

 object network LAN
subnet 192.168.10.0 255.255.255.0

object network DMZ
host 172.28.0.15

object_group service Dmz_ports
service-object destiantion TCP eq 80
service-object destination TCP eq 443

object network DMZ
NAT(outside,dmz) static 1.2.3.4 service tcp 80 80 
 
network object DMZ
NAT(outside,dmz) static 1.2.3.4 service tcp 443 443

access_list out_acz_in permit object Dmz_ports any object DMZ  
access-group out_acz_in in interface outside

Note:-Traffic from LAN to DMZ is allowed (high-to-low) but only for the inspected protocols like Telnet,httpā€¦,

So http 80 is inspected -Not to worry about.Traffic with SP:80 from LAN-to-DMZ will flow by default.

for any other traffic use the below acess-list as appropriate

//ALLOW access all ports from DMZ to INSIDE

access-list dmz_acz permit ip object dmz object inside 
access-group dmz_acz in interface inside


//Allow  access only port 443 from DMZ to INSIDE 

access-list dmz_acz permit tcp object dmz object inside eq 443
access-group dmz_acz in interface inside

please let me know on results

Hlw Rene,

I am little bit confused about the two command when using NAT:

nat(inside, outside)

nat(outside,inside)

Appreciate your nice clarification as always :slight_smile:

br/
zaman

Hi Zaman,

Hereā€™s how it works:

ASA1(config)# object network SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static 192.168.2.200

This basically does two things:

  • When a packet enters the INSIDE and exits the OUTSIDE, and the source IP address is 192.168.1.1 then we translate the source address to 192.168.2.200.
  • When a packet enters the OUTSIDE and exits the INSIDE, and the destination IP address is 192.168.2.200 then we translate the destination address to 192.168.1.1.

We use this so a server on the INSIDE is reachable from the OUTSIDE. We also use NAT (INSIDE,OUTSIDE) so that multiple hosts can access the Internet through a single public IP address.

Now letā€™s look at another example:

ASA1(config)# object network DNS_SERVER
ASA1(config-network-object)# host 8.8.8.8
ASA1(config-network-object)# nat (OUTSIDE,INSIDE) static 192.168.1.8

Hereā€™s what it means:

  • When a packet enters the OUTSIDE and exits the INSIDE, and the source IP address is 8.8.8.8 then we translate the source address to 192.168.1.8.
  • When a packet enters the INSIDE and exits the OUTSIDE, and the destination IP address is 192.168.1.8 then we translate the destination address to 8.8.8.8.

This can be useful if you want hosts to be able to reach some external server using an internal IP address. When an internal host tries to reach 192.168.1.8, then it will be translated to 8.8.8.8 (Google DNS).

Hope this helps!

Rene

by default FW allow from Inside to DMZ, so that means I am from Inside network and I can RDP to my windows server in DMZ. it can be bad in some cases,
and if I want to block RDP from Inside to DMZ I will need to configure and access list?

Thank you

Hi Hoan,

That is correct, it is permitted because you go from a higher to a lower security level. If you want to block this, you have to use an access-list. I have an example here:

https://networklessons.com/cisco-asa/cisco-asa-access-list/

Look for the ā€œdeny traffic from insideā€ section.

Rene

Hi Rene
I have confgiure Dynamic NAT on ASA version 8.4(2), As i enable debug it show that NAT are working fine, but I can notping from INSIDE to OUTSIDE , As i debug traffic already reach destination with source IP as NAT and return back and it was drop on ASA. Could you help me about this? As Itā€™s return traffic it should be allow.

Hello Heng,

Have you tried packet-tracer on the ASA? That should give you a reason why the ASA drops it.

Rene

Maybe slightly off topic. I have a need for a DMZ Server to initiate communications with a LAN (inside) server. How can i go about doing this?

Hello Richard

By default, communication from lower security level areas to higher security level areas on an ASA are blocked. The only way to get a server in the DMZ (lower security level) to communicate with a device in the LAN (higher security level) is to create the appropriate access lists to allow such a communication. The access lists should be configured to allow the appropriate parameters (ip addresses, protocols etc) and even more importantly, to make sure that all other undesired traffic is blocked.

Such a configuration is typical when you have a web server in the DMZ and the SQL database that it uses within the LAN. The web server will need to query the SQL server to display the appropriate content. IN such a case, an access list similar to the following can be employed in the ASA:

access-list DMZ_WEB line 1 extended permit tcp host 172.16.0.10 object inside-network eq sqlnet
access-list DMZ_WEB line 2 extended deny ip host 172.16.0.10 inside-network

where 172.16.0.10 is the web server and the inside-network object refers to the internal LAN network. Note that only sqlnet or SQL database traffic is allowed from the DMZ to the Internal network.

I hope this has been helpful!

Laz

Hello there,

I am kind of new in networking field.
I have configured ASA dynamic NAT with DMZ as per Unit 2.
for some reason I canā€™t telnet into R2 and R3, gives me error ā€œconnection refused by remote hostā€
if you can help me out please.
thanks

Hello Ankit

First of all, if R3 gives you the ā€œconnection refused by remote hostā€ error, this means that your session has reached R3 successfully, however, R3 has been configured not to respond to telnet sessions. Have you tried ssh? It depends on what protocol you have enabled for the CLI communication with the device.

As for R2, from device are you attempting to connect to R2? Are you going through the ASA? It may be that the NAT is not functioning correctly or that some ACLs have not been configured correctly. Take a look at your config once again and compare with the lesson. Let us know your findings so we can continue helping you with the troubleshootingā€¦

I hope this has been helpful!

Laz

I have slightly confused myself ā€¦ particularly as my ASA 5500 image in GN3 has issues ā€¦ does one need a routing protocol running on the ASA or does defeat the object of using NAT?
Many Thanks
Frank

Hello Frank

You can choose to run a routing protocol on the ASA or you can choose to employ static routing, it makes no difference. ASA devices inherently contain routing functionality since they have interfaces on multiple subnets. Routing is required for any communication between these. This does not affect NAT as NATā€™s purpose is somewhat different. You just have to keep the order of operations clear in your mind whenever configuring combinations of NAT and routing, such that you know what is applied first, NAT or routing, and in which direction. The following document clarifies the order of operations.

I hope this has been helpful!

Laz

Thanx Laz
I have been out of the cisco world for some timeā€¦ If ip routing is enabled on the ASA but no static routes or protocol and attached routers set up with default routes should it still work?

Hello Frank

If routing is enabled and you configure no static routes or routing protocols, by default, the only routing that will take place will be routing between the subnets that are configured on each interface. This routing is of course subject to the ā€œallowedā€ directions of packet flows depending on the security levels defined on each interface. So to answer your question specifically, yes it should work.

I hope this has been helpful!

Laz

Thanx again Laz!
I will try this again tomorrow on Devnet rather than GNS3.
Kind Regards
Frank

1 Like

Hey everyone I have a 5510 ASA and Iā€™m trying to figure out setting up dynamic NAT with a range or pool of IPs. Iā€™m having trouble with this task as the outside interface is setup with the first available ip out of my 5 static IPS I have. I then want to use a range of IPs to perform dynamic NAT round robin for my DMZ to outside and my inside int to the outside. Is there a better way to set this up and prevent from getting the error of the ips overlap ??

Hello Brandon

If you look at this lesson, you can see how dynamic NAT is being applied. The IP address of the outside or DMZ interface is not found within the defined ranges of available addresses which NAT uses. Notice in the lesson that for both INSIDE_TO_OUTSIDE and DMZ_TO_OUTSIDE objects, the PUBLIC_POOL is being used. This means that both translations take into account addresses used by the other, and will not duplicate their use.

If for your scenario, four addresses (5 minus the one used for the outside interface) are not enough, then you should consider using PAT as shown in the following lesson.

I hope this has been helpful!

Laz

Good evening Everyone,
I have read the lesson about Cisco ASA Dynamic NAT with DMZ, and will try it on the equipment this Thursday.
Do you Guys know how to do it in ASDM with ASA 5505? I have basic license for ASA.
I found some information in Internet - How to Set up a Cisco ASA DMZ: Cisco ASA Training 101 but it didnā€™t work for me.
I would like to try it with real equipment, and into GNS3 if possible.
Thank you, and Best Regards,

Hello Asen

I suggest you first get the lab done using the CLI as described in the lesson. This way you will gain a better understanding of all of the intricacies and interactions of the config. Once you do that, you can then attempt to reproduce the same lab using ASDM. At this point you will more intuitively be able to implement this because you will have already gone through the steps and procedures necessary to achieve it. So you may find that youā€™ll be able to achieve it using ASDM without specific step by step guidance. I donā€™t know of a how to guide that will allow you to configure this specific lab using ASDN, but it may be helpful to take a look at these examples of NAT implementation on ASA series firewalls using ASDN.

I hope this has been helpful!

Laz