Solved

Using Dynamic NAT to translate internal addresses to different network on DMZ interface

Posted on 2010-09-16
10
472 Views
Last Modified: 2012-05-10
Hello All,

I have a Cisco ASA that has a DMZ interface. I need clients from 172.21.172.0 255.255.252.0 on the inside to appear on the DMZ interface as 172.24.16.x 255.255.255.0. The DMZ is 172.21.175.1 connected to a VPN hardware device at 172.21.175.2. I need clients to connect through the ASA to the 172.20.x.x 255.255.x.x. I have everything setup up including routes and the global and nat statement. I want make sure my config wioll do this. Thank you.  
ASA-connected-to-hardware-VPN-de.txt
0
Comment
Question by:greenbeanx81
  • 7
  • 3
10 Comments
 

Author Comment

by:greenbeanx81
ID: 33697248
Can this be done? I'm not sure if you can use different ip pool for a global command and a different ip on the DMZ interface..
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 33697286
you need to change

nat (DMZ) 2 172.21.172.0 255.255.252.0

to

nat (inside) 2 172.21.172.0 255.255.252.0

other than that, the rest looks fine
0
 

Author Comment

by:greenbeanx81
ID: 33697391
The minute I add the second statement my clients on the 172.21.174.x 255.255.255.x lose their internet.
0
 

Author Comment

by:greenbeanx81
ID: 33697422
Here is my route table:

S    172.21.173.0 255.255.255.0 [1/0] via 172.21.174.1, inside
C    172.21.175.0 255.255.255.252 is directly connected, DMZ
C    172.21.174.0 255.255.255.0 is directly connected, inside
S    172.20.0.0 255.255.0.0 [1/0] via 172.21.175.2, outside
C    24.199.46.232 255.255.255.248 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 24.199.46.233, outside

I have 172.21.173.0/24 and and 172.21.174.0/24 on the inside. I looks like once I add the nat (DMZ) inside statement it routes the inside networks to the DMZ interface.. strange..
0
 

Author Comment

by:greenbeanx81
ID: 33697454
I removed 172.20.0.0 255.255.0.0 [1/0] via 172.21.175.2, outside line and specified the networks I want to go to the VPN device with no go.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:greenbeanx81
ID: 33699260
Okay...I am now trying to use Policy Nat with global and nat commands. My configuration is below:

access-list Harland_VPN extended permit ip 172.21.173.0 255.255.255.0 172.24.16.0 255.255.255.0
access-list Harland_VPN extended permit ip 172.21.174.0 255.255.255.0 172.24.16.0 255.255.255.0
access-list dmz extended permit ip any any
global (outside) 1 interface
global (DMZ) 2 172.24.16.1-172.24.16.254 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 2 access-list Harland_VPN
route DMZ 172.20.3.0 255.255.255.0 172.21.175.2
route DMZ 172.20.4.0 255.255.255.0 172.21.175.2
route DMZ 172.20.5.0 255.255.255.0 172.21.175.2
route DMZ 172.20.6.0 255.255.255.0 172.21.175.2

I tried to telnet or ping to the address 172.20.3.1. The connection is closed imediately and I do no not see any entrys in the xlate or conn tables:

TORRANCEASA# sh xlate
6 in use, 284 most used
Global 24.199.46.236 Local 172.21.174.10
PAT Global 24.199.46.234(50879) Local 172.21.174.19(2190)
PAT Global 24.199.46.234(46690) Local 172.21.174.26(1047)
PAT Global 24.199.46.234(63189) Local 172.21.174.226(58396)
PAT Global 24.199.46.234(7968) Local 172.21.174.24(1045)
PAT Global 24.199.46.234(57215) Local 172.21.174.14(2682)  

TORRANCEASA# sh conn  
58 in use, 164 most used
TCP outside 172.16.1.1:51310 inside 172.21.174.226:3389, idle 0:00:09, bytes 253159, flags UIOB
TCP outside 76.195.149.211:5721 inside 172.21.174.19:2190, idle 0:00:11, bytes 81868, flags UIO
TCP outside 76.195.149.211:5721 inside 172.21.174.26:1047, idle 0:00:27, bytes 157060, flags UIO
TCP outside 76.195.149.211:5721 inside 172.21.174.226:58396, idle 0:00:04, bytes 86008, flags UIO
TCP outside 76.195.149.211:5721 inside 172.21.174.24:1045, idle 0:00:27, bytes 81508, flags UIO
TCP outside 76.195.149.211:5721 inside 172.21.174.14:2682, idle 0:00:04, bytes 142730, flags UIO

My question is should the config work and how can I verify that the Nat translation actually is working? packet capture?  I'm not seeing anything that says the firewall is routing out the DMZ interface towards 172.21.175.2 as the next hop. I need to use a range for the global command so I do not think policy nat with the static command will work. Thank you.
ASA-that-needs-to-route-inside-h.txt
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 33706279
With the existing config you won't see traffic from your inside network towards the DMZ on your translation tables simply because it's not translating them:

Your Harland_VPN doesn't have an entry for the DMZ; In the ther hand you're trying to telnet to 172.20.3.1, which should send the traffic through the VPN. Because it's a VPN you should not NAT it at all, or the vpn won't work (unless your access-lists on the other end of the VPN are configured for the nat IPs) so you should add:

access-list NONAT extended permit ip 172.21.174.0 255.255.255.0 172.20.3.0 255.255.255.0

So the firewall doesn't translate these packets.

Do you have a config for the other side of the VPN?



Another thing I noticed is this:

Your VPN Peer is 24.x.x.x

Your destination for 172.20.3.0 255.255.255.0 is 172.21.175.2

Since 172.21.175.2 is not your Peer; does this traffic allow VPN traffic through? Is this a router? is there a route towards the other VPN peer?




0
 

Author Comment

by:greenbeanx81
ID: 33708927
The tuunel-group is for a tunnel that is disabled. I'm not using that.


I want to send traffic out the DMZ interface appearing as 172.24.16.0/24 to a third party VPN hardware device connected at 172.21.175.2. The ASA is not doing the VPN. 172.21.175.2 is doing the VPN. Here is a diagram.
DMZ-network-diagram-visio.vsd
0
 
LVL 10

Accepted Solution

by:
ddiazp earned 500 total points
ID: 33708946
then you need to add:

access-list Harland_VPN extended permit ip 172.21.173.0 255.255.255.0 172.20.3.0 255.255.255.0
access-list Harland_VPN extended permit ip 172.21.174.0 255.255.255.0 172.20.3.0 255.255.255.0

This way you nat from inside to DMZ, translating them to 172.24.16.0/24 if the destination IP is 172.20.3.0/24.

the current

access-list Harland_VPN extended permit ip 172.21.173.0 255.255.255.0 172.24.16.0 255.255.255.0
access-list Harland_VPN extended permit ip 172.21.174.0 255.255.255.0 172.24.16.0 255.255.255.0

are not doing anything
0
 

Author Comment

by:greenbeanx81
ID: 33709290
Ok I see where I went wrong. I already had the 172.24.16.0 network for the global so the access-list is just to trigger the policy. I added 172.20.0.0 255.255.0.0 to the access-list since I want the 172.20.3.0 to 172.20.6.0 networks to route. I'll test and see if it works. Thank you.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now