Solved

ASA static NAT 8.2 code

Posted on 2012-03-29
8
1,500 Views
Last Modified: 2012-03-31
interface GigabitEthernet1/1
 nameif Inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0


interface GigabitEthernet1/2
 nameif BlueDMZ
 security-level 50
 ip address 50.50.50.1


Assume that I can't route 50.50.50.0/24 on my internal Network. I have a route redistributed into the routing table to send 60.60.60.0/24 to the Firewall.

I want a computer on the inside 10.10.10.10 to send to 60.60.60.60 and when it hits the firewall, static nat the destination to 50.50.50.50

How will the static NAT look?
0
Comment
Question by:trojan81
  • 3
  • 3
  • 2
8 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 37786744
Why do you want to NAT it, just route it? use the identity NAT

static (inside, BlueDMZ) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

else

static (inside, BlueDMZ) 60.60.60.60 10.10.10.10 netmask 255.255.255.255


harbor235 ;}
0
 
LVL 4

Accepted Solution

by:
JZeolla earned 350 total points
ID: 37786752
# access-list nat-me permit ip host 50.50.50.50 host 10.10.10.10
# static (BlueDMZ,inside) 60.60.60.60 access-list nat-me

That'll do what you're asking.  Let me know how it works.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 150 total points
ID: 37786810
Here is the correct command syntax for regular static NAT;

static (real_interface,mapped_interface) {mapped_ip | interface} real_ip [netmask mask]


Here is the policy NAT syntax that is incorrect in jzeolla post  but the overall method is correct.

static (real_interface,mapped_interface) mapped_ip, access-list acl_name

good link:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html


harbor235 ;}
0
 

Author Comment

by:trojan81
ID: 37787850
harbor, the reason for doing this is assume I can't route 50.50.50.0/24.

I need to adjust this question...now i have to assume I can't route 50.50.50.0/24.

If I pick an unused IP on the inside interface (10.0.0.10) and NAT that to 50.50.50.50 would that work?

Meaning if I do this:

static (inside, BlueDMZ) 10.0.0.10 50.50.50.50 netmask 255.255.255.255


Would it accomplish this: user sends to 10.0.0.10, traffic hits the firewall and gets destination NAT'd to 50.50.50.50 and sent to BLUEDMZ?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 4

Expert Comment

by:JZeolla
ID: 37787926
@trojan81

Please use my configuration, it is valid.  

@harbor235

My configuration is not incorrect... It is a policy based static DESTINATION NAT. Please do not make misleading and inaccurate comments.  

What it will do is this:
1. If 10.10.10.10 makes an outbound connection to 60.60.60.60, the destination 60.60.60.60 will be NATted to 50.50.50.50.
2. All traffic arriving inbound on the dmz interface coming from 50.50.50.50 destined for 10.10.10.10, will be source NATted behind 60.60.60.60.

If you need a further explanation just let me know.  Thanks,

JZeolla
0
 

Author Comment

by:trojan81
ID: 37788064
JZeolla, yes your suggestion worked. Thank you!

I had the interfaces in the brackets backwards.

Also thank you too, Harbor!
0
 
LVL 32

Expert Comment

by:harbor235
ID: 37788867
Thats nice, but it kind of defeats the purpose if a DMZ host can initiate a connection to the inside network. Inside to DMZ should be allowed and DMZ to outbound. DMZ can participate in a flow that was originated from the inside but it cannot originate one to the inside. Just because it works does not mean you should do it.

My config is source nat and the connection must originate from the inside, and it works as well.


harbor235 ;}
0
 
LVL 4

Expert Comment

by:JZeolla
ID: 37790846
@harbor235

That is not the role of NAT, NAT is only used to obfuscate and translate addresses (Or not do so, with NAT exemptions).  Controlling traffic should be done by ACLs.  Also, it does not defeat the purpose of a DMZ, they are meant to RESTRICT access not STOP access.  There are tons of cases where DMZ servers would require traffic be initiated inbound.  

Also, it doesn't matter if I set it up for inside to DMZ, or DMZ to inside the rule would work both ways no matter how it's applied.  Again, this is because it is not NAT's job to restrict traffic.  

Finally, your configuration wouldn't even work in this situation, so I'm not sure why you're arguing.  You posted a configuration that would either identity NAT (Doesn't fix anything) or NAT the inside to 60.60.60.60, which also doesn't fix anything.  You incorrectly analyzed the question and falsely accused my configuration of being wrong and you still got points.  You should be happy.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now