Cisco ASA 5510 NAT setup inside dmz out
Hey Guy's,
I'm setting up a brand new Cisco ASA 5510 from scratch. Simple network to begin, but I need help with NAT.
Inside = 192.168.10.0/24
Ouside = 216.13.114.0/28
DMZ = 192.168.129.0/24
I need to be able to ping between Inside and DMZ and any Inside subnet can access any DMZ subnet. I'm fricking lost!
I setup:
nat (Inside) 1 192.168.10.0 255.255.255.0
global (Outside) 1 interface
I haven't enabled nat-control...but I was reading that eventhough that is not enabled once I'm traversing NAT through an interface, I'll have to use static NAT. I tried
static (DMZ,Inside) 192.168.129.0 192.168.10.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.10.0 192.168.129.0 netmask 255.255.255.0
But still no ping nor any IP connectivity
Any help would be greatly appreiated!
I'm setting up a brand new Cisco ASA 5510 from scratch. Simple network to begin, but I need help with NAT.
Inside = 192.168.10.0/24
Ouside = 216.13.114.0/28
DMZ = 192.168.129.0/24
I need to be able to ping between Inside and DMZ and any Inside subnet can access any DMZ subnet. I'm fricking lost!
I setup:
nat (Inside) 1 192.168.10.0 255.255.255.0
global (Outside) 1 interface
I haven't enabled nat-control...but I was reading that eventhough that is not enabled once I'm traversing NAT through an interface, I'll have to use static NAT. I tried
static (DMZ,Inside) 192.168.129.0 192.168.10.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.10.0 192.168.129.0 netmask 255.255.255.0
But still no ping nor any IP connectivity
Any help would be greatly appreiated!
If you just want all inside to have unlimited access to DMZ but block DMZ accessing inside, the easiest is
global (DMZ) 1 interface
If you also want to allow DMZ with limited access to inside, you need:
static (DMZ,Inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-list DMZ_access_in extended permit <whatever you need>
access-group DMZ_access_in in interface DMZ
global (DMZ) 1 interface
If you also want to allow DMZ with limited access to inside, you need:
static (DMZ,Inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-list DMZ_access_in extended permit <whatever you need>
access-group DMZ_access_in in interface DMZ
ASKER
GuruChiu,
doesn't the global (DMZ) 1 interface force the Inside to NAT over to the DMZ? Does it matter, will it cause an issue? Both my internal and DMZ are private IP's. In my current (crappy old checkpoint configs), Inside talks directly to DMZ with no NAT.
Should I be using the nat 0 to talk to DMZ?
As of right now, I cannot ping from Inside to DMZ and I cannot IP (ftp, http) from Inside to DMZ
doesn't the global (DMZ) 1 interface force the Inside to NAT over to the DMZ? Does it matter, will it cause an issue? Both my internal and DMZ are private IP's. In my current (crappy old checkpoint configs), Inside talks directly to DMZ with no NAT.
Should I be using the nat 0 to talk to DMZ?
As of right now, I cannot ping from Inside to DMZ and I cannot IP (ftp, http) from Inside to DMZ
please show the whole config
ASKER
Here you go Sh run attached.
CiscoASAConfig.txt
CiscoASAConfig.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Guys,
If all I have right now is this on my ASA 5510, Version 8.2(1)
nat-control is disabled
Inside security is 100
Outside security is 0
DMZ security is 50
NO ACL's exist and no access-groups configured
And for now, NO NAT configured at all even.
By default, traffic from higher security interface should be able to talk to lower security interface. out of the box. Well, I cannot ping from Inside to DMZ and I cannot ftp (as an example) from Inside to DMZ. I'm not even moving on until I understand why this is?
If all I have right now is this on my ASA 5510, Version 8.2(1)
nat-control is disabled
Inside security is 100
Outside security is 0
DMZ security is 50
NO ACL's exist and no access-groups configured
And for now, NO NAT configured at all even.
By default, traffic from higher security interface should be able to talk to lower security interface. out of the box. Well, I cannot ping from Inside to DMZ and I cannot ftp (as an example) from Inside to DMZ. I'm not even moving on until I understand why this is?
You have these in place:
global (Outside) 1 interface
global (DEMOdmz) 1 interface
nat (Inside) 1 192.168.128.0 255.255.255.0
With these in place the traffic will not flow are you have described. If you have since changed the congif, to something different then what is posted then you will have to let us know what you changed.
Regards,
3nerds
global (Outside) 1 interface
global (DEMOdmz) 1 interface
nat (Inside) 1 192.168.128.0 255.255.255.0
With these in place the traffic will not flow are you have described. If you have since changed the congif, to something different then what is posted then you will have to let us know what you changed.
Regards,
3nerds
ASKER
I just want to start at ground zero and build from there. I've removed both the global statements and all the ACL's. Inside cannot ping DMZ. Again, I have no nat statemetns, no global statements and no ACL's. Just interfaces configured.
All I want to validate is an Inside host can Ping an Outside host with as little configuration as possible to really understand the traffic flow. Now it would seem to me that the return trafic is being blocked because it's going from a lower interface to a higher interface. With that said, if I allow icmp any any where do I apply that ACL? DMZ in? or Inside in?
All I want to validate is an Inside host can Ping an Outside host with as little configuration as possible to really understand the traffic flow. Now it would seem to me that the return trafic is being blocked because it's going from a lower interface to a higher interface. With that said, if I allow icmp any any where do I apply that ACL? DMZ in? or Inside in?
doesn't the global (DMZ) 1 interface force the Inside to NAT over to the DMZ? Does it matter, will it cause an issue? Both my internal and DMZ are private IP's. In my current (crappy old checkpoint configs), Inside talks directly to DMZ with no NAT.
The firewall will use the correct nat rule depends on where the traffic going. When it go to outside, it use outside nat rule. When it go to DMZ, it use DMZ nat rule. This will give you protection from DMZ.
If you want inside talk to DMZ directly with no NAT, you can use the 2nd suggestion I posted above:
static (DMZ,Inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-list DMZ_access_in extended permit <whatever you need>
access-group DMZ_access_in in interface DMZ
Should I be using the nat 0 to talk to DMZ?
no nat 0 is use to bypass nat.
The firewall will use the correct nat rule depends on where the traffic going. When it go to outside, it use outside nat rule. When it go to DMZ, it use DMZ nat rule. This will give you protection from DMZ.
If you want inside talk to DMZ directly with no NAT, you can use the 2nd suggestion I posted above:
static (DMZ,Inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-list DMZ_access_in extended permit <whatever you need>
access-group DMZ_access_in in interface DMZ
Should I be using the nat 0 to talk to DMZ?
no nat 0 is use to bypass nat.
ASKER
Fixed.
Layer 2 issue on my end!
But, FYI, I did add an Inspect ICMP under by Global Inspect of the ASA, so that when doing an icmp through the firewall between a higher interface to a lower one, it doesn't need an ACL to allow it back.
Layer 2 issue on my end!
But, FYI, I did add an Inspect ICMP under by Global Inspect of the ASA, so that when doing an icmp through the firewall between a higher interface to a lower one, it doesn't need an ACL to allow it back.
If not this causes the problem
access-list DMZ_access_in extended permit ip 192.168.129.0 255.255.255.0 192.168.10.0
access-group DMZ_access_in in interface DMZ
after that don't forget to 'clear xlate'!
Best regards,
IStvan