steno1122
asked on
No NAT translation between internal network and DMZ
Hi,
I’m configuring an ASA for a customer that does not want NAT translation between their internal network and their DMZ. They don’t want NAT in either direction so DMZ servers can connect to internal servers via their actual IP and vice versa. I am preparing the config in advance and won’t have much time to troubleshoot once the firewall is installed in their production environment. I need help with the NAT commands to so there is no translation in either direction but there is NAT when connecting to the Internet.
This is what I have thus far (using different IPs for example purposes):
Access-list EXEMPT extended permit ip any 10.150.10.0 255.255.255.0
Nat (inside) 0 access-list EXEMPT
The above would not translate internal addresses when they go to the DMZ but what entries would I use for when a DMZ server needs to connect to the internal network so the IP isn’t translated? Would I use another Nat 0 line with an ACL or would a static entry listing both the internal and DMZ subnets be better? Would the below entry work to not translate DMZ addresses connecting to internal servers? If not, what entries would work?
Access-list DMZ_EXEMPT extended permit ip any 192.168.1.0 255.255.255.0
Nat (DMZ) 0 access-list DMZ_EXEMPT
Also, would a “global (outside) 1 x.x.x.x netmask x.x.x.x” translate all traffic going to the Internet from both networks even though there is not NAT translation between the internal and DMZ subnets?
Thanks for the assistance!
I’m configuring an ASA for a customer that does not want NAT translation between their internal network and their DMZ. They don’t want NAT in either direction so DMZ servers can connect to internal servers via their actual IP and vice versa. I am preparing the config in advance and won’t have much time to troubleshoot once the firewall is installed in their production environment. I need help with the NAT commands to so there is no translation in either direction but there is NAT when connecting to the Internet.
This is what I have thus far (using different IPs for example purposes):
Access-list EXEMPT extended permit ip any 10.150.10.0 255.255.255.0
Nat (inside) 0 access-list EXEMPT
The above would not translate internal addresses when they go to the DMZ but what entries would I use for when a DMZ server needs to connect to the internal network so the IP isn’t translated? Would I use another Nat 0 line with an ACL or would a static entry listing both the internal and DMZ subnets be better? Would the below entry work to not translate DMZ addresses connecting to internal servers? If not, what entries would work?
Access-list DMZ_EXEMPT extended permit ip any 192.168.1.0 255.255.255.0
Nat (DMZ) 0 access-list DMZ_EXEMPT
Also, would a “global (outside) 1 x.x.x.x netmask x.x.x.x” translate all traffic going to the Internet from both networks even though there is not NAT translation between the internal and DMZ subnets?
Thanks for the assistance!
ASKER
Kenboonejr,
Thank you for the reply. To clarify, I add the static which you mentioned
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Then I add an ACL something like
access-list dmz_in extended permit ip 162.168.1.0 255.255.255.0 10.150.10.0 255.255.255.0
Then add a global statement to get to the Internet like
global (outside) 1 (routable IP's) netmask x.x.x.x
Would that work to so there is no NAT on the network but both the internal and DMZ servers can get to the Internet?
Thanks again for the help!
Thank you for the reply. To clarify, I add the static which you mentioned
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Then I add an ACL something like
access-list dmz_in extended permit ip 162.168.1.0 255.255.255.0 10.150.10.0 255.255.255.0
Then add a global statement to get to the Internet like
global (outside) 1 (routable IP's) netmask x.x.x.x
Would that work to so there is no NAT on the network but both the internal and DMZ servers can get to the Internet?
Thanks again for the help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
This assumes that 192.168.1.0 is the inside network.
this statement would say that the 192.168.1.0 will be known as 192.168.1.0 on the dmz segment.
You would then need to add an ACL to the dmz segment allowing the DMZ devices to reach the 192.168.1.0 devices.
Since you have done this - you will not need the nat 0 rule you set up as once I create a static assignment like above it works in both directions.