Cisco ASA 5510 NAT setup inside dmz out

birddog2008
birddog2008 used Ask the Experts™
on
Hey Guy's,

I'm setting up a brand new Cisco ASA 5510 from scratch.  Simple network to begin, but I need help with NAT.

Inside = 192.168.10.0/24
Ouside = 216.13.114.0/28
DMZ = 192.168.129.0/24

I need to be able to ping between Inside and DMZ and any Inside subnet can access any DMZ subnet.  I'm fricking lost!

I setup:

nat (Inside) 1 192.168.10.0 255.255.255.0
global (Outside) 1 interface

I haven't enabled nat-control...but I was reading that eventhough that is not enabled once I'm traversing NAT through an interface, I'll have to use static NAT.  I tried
static (DMZ,Inside) 192.168.129.0 192.168.10.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.10.0 192.168.129.0 netmask 255.255.255.0
But still no ping nor any IP connectivity

Any help would be greatly appreiated!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Did you enabled this traffic on the lower security interfaces to inside?
If not this causes the problem

access-list DMZ_access_in extended permit ip 192.168.129.0 255.255.255.0 192.168.10.0
access-group DMZ_access_in in interface DMZ

after that don't forget to 'clear xlate'!

Best regards,
IStvan

Commented:
If you just want all inside to have unlimited access to DMZ but block DMZ accessing inside, the easiest is

global (DMZ) 1 interface

If you also want to allow DMZ with limited access to inside, you need:

static (DMZ,Inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-list DMZ_access_in extended permit <whatever you need>
access-group DMZ_access_in in interface DMZ

Author

Commented:
GuruChiu,

doesn't the global (DMZ) 1 interface force the Inside to NAT over to the DMZ?  Does it matter, will it cause an issue?  Both my internal and DMZ are private IP's.  In my current (crappy old checkpoint configs), Inside talks directly to DMZ with no NAT.

Should I be using the nat 0 to talk to DMZ?

As of right now, I cannot ping from Inside to DMZ and I cannot IP (ftp, http) from Inside to DMZ

Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
please show the whole config

Author

Commented:
Here you go  Sh run attached.
CiscoASAConfig.txt
Birddog2008,

I do not use a global to talk to the DMZ, there are probably good reasons to do so but it is not how I do mine.

All you should have to do is add a static to allow the inside to talk to the DMZ and then from there you can add an ACL to allow or deny specific traffic.

here is some of the pieces i usually add.

Static first:

static (Inside_firewall,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.0.0 --> this basically says anything from the 192 trying to get to the dmz will be translated on a 1 for one basis.


I add a DMZ acl:
access-list acl_dmz extended permit icmp any any
access-list acl_dmz extended permit udp any any eq domain
access-list acl_dmz extended permit tcp any any eq domain
access-list acl_dmz extended permit ip host 192.168.129.X any ---> this is the key line as this host will be allowed to communicate out.
access-list acl_dmz extended deny ip any 172.16.0.0 255.255.0.0
access-list acl_dmz extended deny ip any 10.0.0.0 255.0.0.0
access-list acl_dmz extended deny ip any 192.168.0.0 255.255.0.0

And I normally add an inside ACL just for mail protection reasons.

Good Luck,

3nerds

Author

Commented:
Guys,

If all I have right now is this on my ASA 5510, Version 8.2(1)
nat-control is disabled
Inside security is 100
Outside security is 0
DMZ security is 50
NO ACL's exist and no access-groups configured
And for now, NO NAT configured at all even.
By default, traffic from higher security interface should be able to talk to lower security interface.  out of the box.  Well, I cannot ping from Inside to DMZ and I cannot ftp (as an example) from Inside to DMZ.  I'm not even moving on until I understand why this is?  
You have these in place:

global (Outside) 1 interface
global (DEMOdmz) 1 interface
nat (Inside) 1 192.168.128.0 255.255.255.0

With these in place the traffic will not flow are you have described. If you have since changed the congif, to something different then what is posted then you will have to let us know what you changed.

Regards,

3nerds

Author

Commented:
I just want to start at ground zero and build from there.  I've removed both the global statements and all the ACL's.  Inside cannot ping DMZ.  Again, I have no nat statemetns, no global statements and no ACL's.  Just interfaces configured.

All I want to validate is an Inside host can Ping an Outside host with as little configuration as possible to really understand the traffic flow.  Now it would seem to me that the return trafic is being blocked because it's going from a lower interface to a higher interface.  With that said, if I allow icmp any any where do I apply that ACL?  DMZ in?  or Inside in?  

Commented:
doesn't the global (DMZ) 1 interface force the Inside to NAT over to the DMZ?  Does it matter, will it cause an issue?  Both my internal and DMZ are private IP's.  In my current (crappy old checkpoint configs), Inside talks directly to DMZ with no NAT.

The firewall will use the correct nat rule depends on where the traffic going. When it go to outside, it use outside nat rule. When it go to DMZ, it use DMZ nat rule. This will give you protection from DMZ.
If you want inside talk to DMZ directly with no NAT, you can use the 2nd suggestion I posted above:

static (DMZ,Inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-list DMZ_access_in extended permit <whatever you need>
access-group DMZ_access_in in interface DMZ

Should I be using the nat 0 to talk to DMZ?
no nat 0 is use to bypass nat.

Author

Commented:
Fixed.
Layer 2 issue on my end!
But, FYI, I did add an Inspect ICMP under by Global Inspect of the ASA, so that when doing an icmp through the firewall between a higher interface to a lower one, it doesn't need an ACL to allow it back.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial