Cisco ASA Dynamic NAT with DMZ

gordonflash984 · July 30, 2020, 3:45am

Maybe I am misunderstanding:
Should the key words OUTSIDE and INSIDE be swapped in both examples
and the IP addresses swapped in the text below the examples?

Thanks You

brunoleandroferreira · July 28, 2020, 4:35pm

I was following the Cisco ASA Dynamic NAT with DMZ, however a bit confused in regard to:

ASA1(config)# object network PUBLIC_POOL -> What does it refer, shouldn’t be the public IP address on ASA (192.168.2.254)?
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200

I have tried to implement similar, however i have the following error:

[ok] object network dmz
    object network dmz
[ok] host 192.168.1.1
[ERROR] nat stactic outside net-to-net
            Address 172.168.1.1 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

lagapidis · July 30, 2020, 6:44am

Hello Bruno

The object network PUBLIC_POOL command is used to define the range of outside IP addresses to be used for NAT. This doesn’t have to be the actual physical address on the outside interface, and actually must be a range of addresses since we are configuring dynamic NAT. Actually, the IP addresses specified here don’t even have to be in the same subnet as the address of the outside interface, as long as there is routing to the configured outside NAT interfaces to reach them.

I’m not sure I understand the syntax of the commands here, but I do understand the error that states that the address overlaps with the outside interface address. It seems that you have another NAT rule (without the object NAT configuration) somewhere that already uses the outside interface address and that is why you have a conflict. A similar such situation can be found at the following Cisco community forum that might help you in your troubleshooting:

In any case, if you would like to duplicate the lesson, follow the configurations and explanations there and let us know your results.

I hope this has been helpful!

Laz

lagapidis · July 31, 2020, 5:42am

Hello Donald

Yes you are right, that seems to be a typo in Rene’s post. I’ve corrected it. Thanks for pointing that out!

Laz

zala93 · May 12, 2022, 10:30am

Hello Rene,

I’m new to your website.
can you just create an access-list allow some traffics from outside to Inside please?
Thank you

lagapidis · May 16, 2022, 8:04am

Hello Star

Yes, it is possible to create an access list that will only allow specific traffic from the outside to the inside. An example of this can be found in the following lesson:

I hope this has been helpful!

Laz

mohammedadn.it · July 30, 2022, 8:46pm

i followed every thing in the topic and i did all the command right and when i use telnet command it give me this answer :
% Destination unreachable; gateway or host down

I checked all my configurations commands in every single device.

can you please share with us which emulator you are using for example gns3 or eve-eng ?

lagapidis · August 3, 2022, 5:39am

Hello Mohammed

I believe that Rene used VIRL to create these labs. I have gone in and tried labbing this one up on CML, and it seems to be working correctly. Can you do some troubleshooting and take a look at the output to the show xlate command after you try the telnet? The “destination unreachable gateway or host down” message seems to indicate that ASA1 is not routing/NATting correctly. Also, can you do some NAT debugs to see why the telnet is failing? Try these troubleshooting activities and let us know your results.

I hope this has been helpful!

Laz