ASA static NAT 8.2 code

interface GigabitEthernet1/1
 nameif Inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0


interface GigabitEthernet1/2
 nameif BlueDMZ
 security-level 50
 ip address 50.50.50.1


Assume that I can't route 50.50.50.0/24 on my internal Network. I have a route redistributed into the routing table to send 60.60.60.0/24 to the Firewall.

I want a computer on the inside 10.10.10.10 to send to 60.60.60.60 and when it hits the firewall, static nat the destination to 50.50.50.50

How will the static NAT look?
trojan81Asked:
Who is Participating?
 
JZeollaCommented:
# access-list nat-me permit ip host 50.50.50.50 host 10.10.10.10
# static (BlueDMZ,inside) 60.60.60.60 access-list nat-me

That'll do what you're asking.  Let me know how it works.
0
 
harbor235Commented:
Why do you want to NAT it, just route it? use the identity NAT

static (inside, BlueDMZ) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

else

static (inside, BlueDMZ) 60.60.60.60 10.10.10.10 netmask 255.255.255.255


harbor235 ;}
0
 
harbor235Commented:
Here is the correct command syntax for regular static NAT;

static (real_interface,mapped_interface) {mapped_ip | interface} real_ip [netmask mask]


Here is the policy NAT syntax that is incorrect in jzeolla post  but the overall method is correct.

static (real_interface,mapped_interface) mapped_ip, access-list acl_name

good link:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html


harbor235 ;}
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
trojan81Author Commented:
harbor, the reason for doing this is assume I can't route 50.50.50.0/24.

I need to adjust this question...now i have to assume I can't route 50.50.50.0/24.

If I pick an unused IP on the inside interface (10.0.0.10) and NAT that to 50.50.50.50 would that work?

Meaning if I do this:

static (inside, BlueDMZ) 10.0.0.10 50.50.50.50 netmask 255.255.255.255


Would it accomplish this: user sends to 10.0.0.10, traffic hits the firewall and gets destination NAT'd to 50.50.50.50 and sent to BLUEDMZ?
0
 
JZeollaCommented:
@trojan81

Please use my configuration, it is valid.  

@harbor235

My configuration is not incorrect... It is a policy based static DESTINATION NAT. Please do not make misleading and inaccurate comments.  

What it will do is this:
1. If 10.10.10.10 makes an outbound connection to 60.60.60.60, the destination 60.60.60.60 will be NATted to 50.50.50.50.
2. All traffic arriving inbound on the dmz interface coming from 50.50.50.50 destined for 10.10.10.10, will be source NATted behind 60.60.60.60.

If you need a further explanation just let me know.  Thanks,

JZeolla
0
 
trojan81Author Commented:
JZeolla, yes your suggestion worked. Thank you!

I had the interfaces in the brackets backwards.

Also thank you too, Harbor!
0
 
harbor235Commented:
Thats nice, but it kind of defeats the purpose if a DMZ host can initiate a connection to the inside network. Inside to DMZ should be allowed and DMZ to outbound. DMZ can participate in a flow that was originated from the inside but it cannot originate one to the inside. Just because it works does not mean you should do it.

My config is source nat and the connection must originate from the inside, and it works as well.


harbor235 ;}
0
 
JZeollaCommented:
@harbor235

That is not the role of NAT, NAT is only used to obfuscate and translate addresses (Or not do so, with NAT exemptions).  Controlling traffic should be done by ACLs.  Also, it does not defeat the purpose of a DMZ, they are meant to RESTRICT access not STOP access.  There are tons of cases where DMZ servers would require traffic be initiated inbound.  

Also, it doesn't matter if I set it up for inside to DMZ, or DMZ to inside the rule would work both ways no matter how it's applied.  Again, this is because it is not NAT's job to restrict traffic.  

Finally, your configuration wouldn't even work in this situation, so I'm not sure why you're arguing.  You posted a configuration that would either identity NAT (Doesn't fix anything) or NAT the inside to 60.60.60.60, which also doesn't fix anything.  You incorrectly analyzed the question and falsely accused my configuration of being wrong and you still got points.  You should be happy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.