Solved

ASA static NAT 8.2 code

Posted on 2012-03-29
8
1,523 Views
Last Modified: 2012-03-31
interface GigabitEthernet1/1
 nameif Inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0


interface GigabitEthernet1/2
 nameif BlueDMZ
 security-level 50
 ip address 50.50.50.1


Assume that I can't route 50.50.50.0/24 on my internal Network. I have a route redistributed into the routing table to send 60.60.60.0/24 to the Firewall.

I want a computer on the inside 10.10.10.10 to send to 60.60.60.60 and when it hits the firewall, static nat the destination to 50.50.50.50

How will the static NAT look?
0
Comment
Question by:trojan81
  • 3
  • 3
  • 2
8 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 37786744
Why do you want to NAT it, just route it? use the identity NAT

static (inside, BlueDMZ) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

else

static (inside, BlueDMZ) 60.60.60.60 10.10.10.10 netmask 255.255.255.255


harbor235 ;}
0
 
LVL 4

Accepted Solution

by:
JZeolla earned 350 total points
ID: 37786752
# access-list nat-me permit ip host 50.50.50.50 host 10.10.10.10
# static (BlueDMZ,inside) 60.60.60.60 access-list nat-me

That'll do what you're asking.  Let me know how it works.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 150 total points
ID: 37786810
Here is the correct command syntax for regular static NAT;

static (real_interface,mapped_interface) {mapped_ip | interface} real_ip [netmask mask]


Here is the policy NAT syntax that is incorrect in jzeolla post  but the overall method is correct.

static (real_interface,mapped_interface) mapped_ip, access-list acl_name

good link:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html


harbor235 ;}
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:trojan81
ID: 37787850
harbor, the reason for doing this is assume I can't route 50.50.50.0/24.

I need to adjust this question...now i have to assume I can't route 50.50.50.0/24.

If I pick an unused IP on the inside interface (10.0.0.10) and NAT that to 50.50.50.50 would that work?

Meaning if I do this:

static (inside, BlueDMZ) 10.0.0.10 50.50.50.50 netmask 255.255.255.255


Would it accomplish this: user sends to 10.0.0.10, traffic hits the firewall and gets destination NAT'd to 50.50.50.50 and sent to BLUEDMZ?
0
 
LVL 4

Expert Comment

by:JZeolla
ID: 37787926
@trojan81

Please use my configuration, it is valid.  

@harbor235

My configuration is not incorrect... It is a policy based static DESTINATION NAT. Please do not make misleading and inaccurate comments.  

What it will do is this:
1. If 10.10.10.10 makes an outbound connection to 60.60.60.60, the destination 60.60.60.60 will be NATted to 50.50.50.50.
2. All traffic arriving inbound on the dmz interface coming from 50.50.50.50 destined for 10.10.10.10, will be source NATted behind 60.60.60.60.

If you need a further explanation just let me know.  Thanks,

JZeolla
0
 

Author Comment

by:trojan81
ID: 37788064
JZeolla, yes your suggestion worked. Thank you!

I had the interfaces in the brackets backwards.

Also thank you too, Harbor!
0
 
LVL 32

Expert Comment

by:harbor235
ID: 37788867
Thats nice, but it kind of defeats the purpose if a DMZ host can initiate a connection to the inside network. Inside to DMZ should be allowed and DMZ to outbound. DMZ can participate in a flow that was originated from the inside but it cannot originate one to the inside. Just because it works does not mean you should do it.

My config is source nat and the connection must originate from the inside, and it works as well.


harbor235 ;}
0
 
LVL 4

Expert Comment

by:JZeolla
ID: 37790846
@harbor235

That is not the role of NAT, NAT is only used to obfuscate and translate addresses (Or not do so, with NAT exemptions).  Controlling traffic should be done by ACLs.  Also, it does not defeat the purpose of a DMZ, they are meant to RESTRICT access not STOP access.  There are tons of cases where DMZ servers would require traffic be initiated inbound.  

Also, it doesn't matter if I set it up for inside to DMZ, or DMZ to inside the rule would work both ways no matter how it's applied.  Again, this is because it is not NAT's job to restrict traffic.  

Finally, your configuration wouldn't even work in this situation, so I'm not sure why you're arguing.  You posted a configuration that would either identity NAT (Doesn't fix anything) or NAT the inside to 60.60.60.60, which also doesn't fix anything.  You incorrectly analyzed the question and falsely accused my configuration of being wrong and you still got points.  You should be happy.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question