Solved

ASA static NAT 8.2 code

Posted on 2012-03-29
8
1,534 Views
Last Modified: 2012-03-31
interface GigabitEthernet1/1
 nameif Inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0


interface GigabitEthernet1/2
 nameif BlueDMZ
 security-level 50
 ip address 50.50.50.1


Assume that I can't route 50.50.50.0/24 on my internal Network. I have a route redistributed into the routing table to send 60.60.60.0/24 to the Firewall.

I want a computer on the inside 10.10.10.10 to send to 60.60.60.60 and when it hits the firewall, static nat the destination to 50.50.50.50

How will the static NAT look?
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 37786744
Why do you want to NAT it, just route it? use the identity NAT

static (inside, BlueDMZ) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

else

static (inside, BlueDMZ) 60.60.60.60 10.10.10.10 netmask 255.255.255.255


harbor235 ;}
0
 
LVL 4

Accepted Solution

by:
JZeolla earned 350 total points
ID: 37786752
# access-list nat-me permit ip host 50.50.50.50 host 10.10.10.10
# static (BlueDMZ,inside) 60.60.60.60 access-list nat-me

That'll do what you're asking.  Let me know how it works.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 150 total points
ID: 37786810
Here is the correct command syntax for regular static NAT;

static (real_interface,mapped_interface) {mapped_ip | interface} real_ip [netmask mask]


Here is the policy NAT syntax that is incorrect in jzeolla post  but the overall method is correct.

static (real_interface,mapped_interface) mapped_ip, access-list acl_name

good link:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html


harbor235 ;}
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:trojan81
ID: 37787850
harbor, the reason for doing this is assume I can't route 50.50.50.0/24.

I need to adjust this question...now i have to assume I can't route 50.50.50.0/24.

If I pick an unused IP on the inside interface (10.0.0.10) and NAT that to 50.50.50.50 would that work?

Meaning if I do this:

static (inside, BlueDMZ) 10.0.0.10 50.50.50.50 netmask 255.255.255.255


Would it accomplish this: user sends to 10.0.0.10, traffic hits the firewall and gets destination NAT'd to 50.50.50.50 and sent to BLUEDMZ?
0
 
LVL 4

Expert Comment

by:JZeolla
ID: 37787926
@trojan81

Please use my configuration, it is valid.  

@harbor235

My configuration is not incorrect... It is a policy based static DESTINATION NAT. Please do not make misleading and inaccurate comments.  

What it will do is this:
1. If 10.10.10.10 makes an outbound connection to 60.60.60.60, the destination 60.60.60.60 will be NATted to 50.50.50.50.
2. All traffic arriving inbound on the dmz interface coming from 50.50.50.50 destined for 10.10.10.10, will be source NATted behind 60.60.60.60.

If you need a further explanation just let me know.  Thanks,

JZeolla
0
 

Author Comment

by:trojan81
ID: 37788064
JZeolla, yes your suggestion worked. Thank you!

I had the interfaces in the brackets backwards.

Also thank you too, Harbor!
0
 
LVL 32

Expert Comment

by:harbor235
ID: 37788867
Thats nice, but it kind of defeats the purpose if a DMZ host can initiate a connection to the inside network. Inside to DMZ should be allowed and DMZ to outbound. DMZ can participate in a flow that was originated from the inside but it cannot originate one to the inside. Just because it works does not mean you should do it.

My config is source nat and the connection must originate from the inside, and it works as well.


harbor235 ;}
0
 
LVL 4

Expert Comment

by:JZeolla
ID: 37790846
@harbor235

That is not the role of NAT, NAT is only used to obfuscate and translate addresses (Or not do so, with NAT exemptions).  Controlling traffic should be done by ACLs.  Also, it does not defeat the purpose of a DMZ, they are meant to RESTRICT access not STOP access.  There are tons of cases where DMZ servers would require traffic be initiated inbound.  

Also, it doesn't matter if I set it up for inside to DMZ, or DMZ to inside the rule would work both ways no matter how it's applied.  Again, this is because it is not NAT's job to restrict traffic.  

Finally, your configuration wouldn't even work in this situation, so I'm not sure why you're arguing.  You posted a configuration that would either identity NAT (Doesn't fix anything) or NAT the inside to 60.60.60.60, which also doesn't fix anything.  You incorrectly analyzed the question and falsely accused my configuration of being wrong and you still got points.  You should be happy.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Swapping port on a  Cisco 5510 firewall 1 66
VLAN Configuration on Cisco Switch 8 47
Cisco To Cisco Trunk not working 2 40
Moving vSAN traffic to a new network 4 101
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

742 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question