NAT DMZ Interface with Public IP range

Peter1701 · March 11, 2018, 3:39pm

Hey all I have a question and I haven’t been able to find any information on it anywhere. The firewall is a Cisco ASA5525x with the latest 9.8 code.

I have a public IP range /24 that I have setup on the DMZ interface. I setup an auto nat to nat the DMZ to the Outside to get the hosts internet access.

I have a Server on the DMZ with a public IP address in the /24 range setup on the interface, however its not accessible from the outside. I’m pretty sure its because of the way I have the NAT setup, but I don’t know how to fix it.

How can I set the DMZ NAT up so it will use its own addresses to go to the Internet instead of using the Outside public interface?

Here is how its configured:

Interface:
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 69.xx.xx.1 255.255.255.0

Object:
object network NET_69.xx.xx.0_24
subnet 69.xx.xx.0 255.255.255.0

NAT:
object network NET_69.xx.xx.0_24
nat (DMZ,outside) dynamic interface

Thanks!

lagapidis · March 12, 2018, 1:48pm

Hello Peter

I assume that your outside interface has a security level of 0 as is usually best practice. You must keep in mind that the default security behaviour of an ASA is as follows:
* Traffic that goes from a lower security interface is denied when it goes to a higher security interface.
* Traffic that goes from a higher security interface is allowed when it goes to a lower security interface.

This means that by default, all communication from the Internet to the DMZ is blocked. In order to override this default behaviour, it is necessary to create an ACL that explicitly permits this traffic.

Detailed step by step instructions for configuring this as well as many other features can be found at the following Cisco documentation:

Go to the section named Configure and follow the step by step instructions. You have some of the config complete, just examine specifically the ACL configuration.

I hope this has been helpful!

Laz

Peter1701 · March 13, 2018, 2:29am

I forgot to include, but yes, the Outside Interface has a Security Level of 0 and I have an ACL allowing what services I need in:

Interface:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 25.xx.xx.xx 255.255.255.252

ACL:
access-list outside_access_in extended permit tcp any host 69.xx.xx.106 eq https
access-list outside_access_in extended permit icmp any host 69.xx.xx.106 echo

However I figured out what the problem was. The problem was with the NAT, I was using PAT to the outside interface, but needed it to use the range I specified on the DMZ. So I changed it to the following:

NAT:
(DMZ) to (outside) source static NET_69.xx.xx.0_24 NET_69.xx.xx.0_24

Now everything is working correctly, whatever public IP that is on the DMZ will use itself to NAT now.

Thanks for the suggestions.