Transparent DMZ NAT?

Hello, 
I am trying to convert the pre-8.3 config to 9.2 and configuration on our old firewall makes no sense to me. Would someone explain what is going on here?
Basically the configuration is pretty basic. 1 outside interface and 2 DMZ interfaces. olddmz and newdmz
interface GigabitEthernet0/0
 description outside
 speed 1000
 duplex full
 nameif outside
 security-level 0
 ip address x.x.6.243 255.255.255.248 standby x.x.6.244
interface GigabitEthernet0/2
 description legacy prod
 speed 1000
 duplex full
 nameif olddmz
 security-level 50
 ip address x.x.9.65 255.255.255.240 standby x.x.9.66
interface GigabitEthernet1/1
 description new prod
 speed 1000
 duplex full
 nameif newdmz
 security-level 50
 ip address x.x.33.163 255.255.255.224 standby x.x.33.164
global (outside) 1 x.x.6.245 netmask 255.255.255.248
static (olddmz,outside) x.x.9.64 x.x.9.64 netmask 255.255.255.240
access-group OUTSIDE in interface outside
access-group OLDDMZ in interface olddmz
route outside 0.0.0.0 0.0.0.0 x.x.6.241 1
There is no other NAT related entries anywhere and devices on the DMZ interfaces are routed transparently with their DMZ subnet IP addresses to the outside. I also do not see a single mention of newdmz being routed or NATed in any way..... How does that work?
How do i achieve this with a post-8.3 configuration? Either I am missing something fundamental, but I dot not see a way to NAT entire subnet to the outside. 
nat (olddmz,outside) static X.X.X.X
does not allow me to add the entire subnet. Do i need to manually specify each NAT object???
Thank you

First off, do you only have public IPs on your olddmz and newdmz networks?  If so you do not need NAT on your firewall.  Previously in versions earlier than 8.2 you were required to use NAT to allow traffic throught ASA/PIX, that was removed completely in version 8.4.  So unless you have a private IP address space that should be NATed for internet access, NAT is not needed.
But to answer your question
How do i achieve this with a post-8.3 configuration? Either I am missing something fundamental, but I dot not see a way to NAT entire subnet to the outside. 
nat (olddmz,outside) static X.X.X.X
This configuration would translate to the following:
object network IP1
  subnet x.x.9.64 255.255.255.240
object network IP2
  subnet x.x.9.64 255.255.255.240
  nat (olddmz,outside) static IP1
Please remember to select a correct answer and rate helpful posts

Similar Messages

  • Want to push my home network behind a WRVS4400N DMZ

    Hello all,
         I've got a pretty typical setup with my DSL modem hooked to my WRT54GS, which is the gateway for my home network, both wired and not.   I have received a block of static IP's from my ISP and I now want to build a DMZ in "front" of my home network.  Here's what I envision:
            Internet
                |
            DSL Modem
                |
            WRVS4400N V.2  (no NAT, no DHCP, intrusion detection and firewall only) static IP on both sides of the router
                |
             DMZ (all static IP)
                |
            WRT54GS (static IP facing the DMZ, NAT, DHCP, etc behind the router)
    Does this look like a good design?  Is there anything I need to watch for to "push" my current home lan behind my new DMZ?  I'll have wireless (3 different SSID's) at each router (including the DSL modem which will have firewall, nat, etc turned off).
    Thanks for the help.
         - Jeff

    Jeff based on your description and setup diagram that looks just fine.  With the wrt54g on the dmz with the firewall on you will be just fine.

  • DNS required for NAT and DHCP services?

    I have a 10.6.2 server with a static IP, domain name, working as a gateway (I have my reasons) as well as providing some services inside and outside. My ISP has a PTR setup so the domain points to the static IP.
    My question is, do I need the DNS service running on the server? Based on some of the docs it tells me to put my ISPs DNS servers in both of my servers ethernet port settings, as well as in the DHCP profile to give out to clients on the network. When I do this, clients cannot resolve names. I can ping IPs from the client, I can even ping my ISPs DNS servers from clients, but I can't resolve names. When I try to dig anything it just hangs there with a blinky cursor.
    When I have the DNS service running it's all happy. The only thing is, clients on the LAN experience some serious lag when accessing services on the server, UNLESS I configure the DNS for my domain on the server with both internal and external IP addresses. Is that how it is supposed to be?

    In the server zone files, the dedicated IP address should point to the machine name, as in name.someserver.com. The local IP address should point to name.local. If you have more than one domain name, the zone files should show their network IP address, not the dedicated IP address, which should only point to the machine name.
    As a side note, I strongly advise against connecting a server directly to the Internet. It should be behind a router with DMZ/NAT/firewall capabilities. By the time you realize why, it will be too late.

  • Nat (inside) 0 access-list NoNAT_inside

    Can someone Explain what the following does on my PIX firewall
    nat (inside) 0 access-list NoNat_Inside
    access-list NoNat_Inside line 1 permit ip lan 255.255.0.0 dmz 255.255.255.0
    Lan = 10.10.0.0
    DMZ= 172.172.172.0
    I'm am under the impression it denies the DMZ from being nated as I can't access the internet directly from a server within the DMZ.
    Kind regards,
    Jake

    That exempt traffic from LAN and DMZ and vice versa from being NATed.
    If you would like to access internet from a server in DMZ, then you would need to configure NAT statement on DMZ:
    nat (dmz) 1 172.172.172.0 255.255.255.0
    Assuming that you already have "global (outside) 1 interface", or "global (outside) 1 " command.

  • ASA supports NAT in bridge mode??

    any one know if an ASA supports NAT in bridge mode? especially the 5580 series x??

    Hi Hans,
    Yes it does, from version 8.0 and higher.
    Unsupported Features
    These features are not supported in transparent mode:
    NAT /PAT
    NAT is performed on the upstream router.
    Note: Starting with ASA/PIX 8.0(2), NAT/PAT is supported in the transparent firewall.
    Here is the document:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#visits
    Mike

  • Opinions on where to locate an Airport Extreme with a XServe

    I've been laying out a new network scheme for a soon to arriving Mac Server and an Airport Extreme. There are 2 ways that this can be done:
    1. Cable Modem to a DMZ setup on the Xserve, and the Airport Extreme used in bridge mode. The Xserve would then run all of the NAT, DHCP, and Firewall Service. This is how our current Windows Network is set up through an ISA Server.
    2. Use the Airport Extreme as the DMZ, NAT, and DHCP. The rest of the clients would then reside on a 24 port switch that is connected to the Airport Extreme. There would also be port mapping for the mail, website, maybe VPN. I'm leaning towards this at the moment.
    Any opinions on which way you would go? I have the luxury also of being able to deploy this completely in a "testing" state, so I have time on my side to work out the bugs.

    I ended up using option 3. Configuring a separate firewall on the most recent installation I worked on. This with a third IP widget.
    The Airport Extreme is a good home firewall, but was (for servers) fairly limited in its ability to provide port forwarding. The third (firewall) widget provides the net connection, and the rest of the network (or networks, if the firewall has DMZ capabilities) and the Airport Extreme are set up behind it.
    Yes, Xserve can be used for routing (eg: as a firewall), but read up on how to configure the default route for multiple NIC servers. There have been previous discussions of this here in the forum. The downside of using Xserve as a firewall is -- if you or something you install happens to open up a port -- you can end up open to the network. And if the Xserve happens to be down for some reason (maintenance, upgrades), you can lose your path out off the LAN.
    Firewall options include Smoothwall and M0n0wall, and various "pro-sumer" firewall products.
    The third widget also made IP connections easy; it's the gateway. But if the IP port forwarding on Airport Extreme is sufficient for your requirements, go for it.

  • EA4500 on Sniper Hill ISP is not working so far, any ideas??

    Hello everybody, I am deployed to Afghanistan.  The ISP provided on the base is called Sniper Hill. The basic setup is there are CAT5e drops in every room. You plug in, and it is all web based to pay for and sign in to the service. Other people have successfully connected there routers made by other manufacturers, why won't the EA4500 connect? I've tried a lot of different ideas from reading different stuff round the net including the forums here.  The Problem starts when after I sign in. When I open explorer I get the normal redirect to the sign in page. Once I sign in it's like the connection dies. I've seen a lot of suggestions that the server is picking up on a router on their network and blocks everything. I've tried mac addy clone, fixed IP, DMZ, NAT off, using the different connection types versus plain old Dynamic IP. Anyone got any ideas? The only thing I can tell you about the other routers people are using is they are a European version, you can tell by the plug that comes on them. I don't want to have to buy another router to use here. I'll keep this one and use it at home for sure but I'd like to use it here. Thanx

    Correct me if I'm wrong, you've tried to set up the router using the CD that came w/it right? If that did not work then please try to set the router manually. Click the link below to check on how to install the router manually. http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&vw=1&articleid=22734

  • DNS different for internet and both iTunes

    Trying to troubleshoot internet connectivity problems with Chrome, Firefox and Safari.
    1. Is DNS for Internet the same for iTunes and App Store?
    2. What would cause all 3 browsers to not find any website (google, yahoo)

    In the server zone files, the dedicated IP address should point to the machine name, as in name.someserver.com. The local IP address should point to name.local. If you have more than one domain name, the zone files should show their network IP address, not the dedicated IP address, which should only point to the machine name.
    As a side note, I strongly advise against connecting a server directly to the Internet. It should be behind a router with DMZ/NAT/firewall capabilities. By the time you realize why, it will be too late.

  • What is causing ASA 5520 v8.4 error 305006 for DNS traffic?

    I implemented transparent mode NAT in single context mode on an ASA 5520 v8.4.  Some connections are working well, but I am seeing others unable to resolve DNS.  I am seeing lot of the following error messages:
    Syslog ID 305006 regular translation creation failed for udp src inside: 10.x.x.x/x des outside:192.168.1.3/53
    Any ideas on what I might look for as possible errors in my configuration?

    I implemented transparent mode NAT in single context mode on an ASA 5520 v8.4.  Some connections are working well, but I am seeing others unable to resolve DNS.  I am seeing lot of the following error messages:
    Syslog ID 305006 regular translation creation failed for udp src inside: 10.x.x.x/x des outside:192.168.1.3/53
    Any ideas on what I might look for as possible errors in my configuration?

  • ACE SNAT Problem

    I currently have 2 nat policies that work fine. I'm trying to add the 3rd but it's not working.
    I pretty sure the config is correct but i'm not sure if i can only have 1 snat policy per interface.
    -NAT policy snat's anything coming in externally except smtp & ftp
    -NAT-EMAIL policy snat's anything coming in externally to go back out vlan 215 to our internal lan.
    -NAT-DMZ policy is suppose to allow communication between 204 vlan and 215 VIPS but it doesn't work.
    So the service policy NAT-DMZ on vlan 204 should intercept traffic destined for 10.10.215.0 and snat
    all of it to 10.10.215.88 i believe but it's not work.
    Any thoughts or am i missing something??
    access-list NAT line 10 extended deny tcp any any eq smtp
    access-list NAT line 12 extended deny tcp any any eq ftp
    access-list NAT line 13 extended deny tcp any any eq ftp-data
    access-list NAT line 100 extended permit tcp any any eq www
    access-list NAT line 110 extended permit tcp any any eq https
    access-list NAT line 118 extended permit udp any any eq domain
    access-list NAT line 126 extended permit tcp any any eq domain
    access-list NAT line 134 extended permit tcp any any eq smtp
    access-list NAT line 142 extended permit tcp any any eq 20022
    access-list NAT-DMZ line 8 extended permit tcp any 10.10.215.0 255.255.255.0
    access-list NAT-DMZ line 16 extended permit udp any 10.10.215.0 255.255.255.0
    access-list NAT-DMZ line 24 extended permit tcp 10.10.215.0 255.255.255.0 any
    access-list NAT-DMZ line 32 extended permit udp 10.10.215.0 255.255.255.0 any
    access-list NAT-DMZ line 40 extended permit icmp any 10.10.215.0 255.255.255.0
    access-list NAT-DMZ line 48 extended permit icmp 10.10.215.0 255.255.255.0 any
    access-list NAT-EMAIL line 8 extended permit tcp any any eq www
    access-list NAT-EMAIL line 16 extended permit tcp any any eq https
    class-map match-any NAT
    2 match access-list NAT
    class-map match-any NAT-DMZ
    2 match access-list NAT-DMZ
    class-map match-any NAT-EMAIL
    2 match access-list NAT-EMAIL
    policy-map multi-match NAT
    class NAT
    nat dynamic 1 vlan 204
    policy-map multi-match NAT-DMZ
    class NAT-DMZ
    nat dynamic 5 vlan 215
    policy-map multi-match NAT_EMAIL
    class NAT-EMAIL
    nat dynamic 10 vlan 215
    policy-map multi-match VIPS
    class email.microchip.com_80_vs
    loadbalance vip inservice
    loadbalance policy email.microchip.com_80_l7slb
    loadbalance vip icmp-reply
    nat dynamic 10 vlan 215
    class email.microchip.com_443_vs
    loadbalance vip inservice
    loadbalance policy email.microchip.com_443_l7slb
    loadbalance vip icmp-reply
    nat dynamic 10 vlan 215
    appl-parameter http advanced-options HTTP-PARAM
    ssl-proxy server email.microchip.com_allSSL
    interface vlan 204
    description WEBDMZ
    ip address 10.10.204.50 255.255.255.0
    alias 10.10.204.1 255.255.255.0
    peer ip address 10.10.204.3 255.255.255.0
    access-group input EVERYONE
    nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat <--Works
    service-policy input NAT-DMZ <--Doesn't work
    no shutdown
    interface vlan 215
    description WebDMZ External Interface
    ip address 10.10.215.11 255.255.255.0
    alias 10.10.215.10 255.255.255.0
    peer ip address 10.10.215.12 255.255.255.0
    access-group input EXTERNAL
    nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat <--Works
    nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat <--Doesn't work
    service-policy input Management-Policy
    service-policy input VIPS
    service-policy input NAT
    no shutdown

    Tried that but the only difference was that i added NAT-DMZ to NAT-EMAIL instead. Just easier for me that way but it didn't work.
    access-list NAT-DMZ line 56 extended permit tcp any host 10.10.215.210
    access-list NAT-DMZ line 64 extended permit tcp host 10.10.215.210 any
    access-list NAT-DMZ line 72 extended permit udp any host 10.10.215.210
    access-list NAT-DMZ line 80 extended permit udp host 10.10.215.210 any
    access-list NAT-EMAIL line 8 extended permit tcp any any eq www
    access-list NAT-EMAIL line 16 extended permit tcp any any eq https
    policy-map multi-match NAT_EMAIL
    class NAT-DMZ
    nat dynamic 5 vlan 215
    class NAT-EMAIL
    nat dynamic 10 vlan 215
    interface vlan 204
    description WEBDMZ
    ip address 10.10.204.50 255.255.255.0
    alias 10.10.204.1 255.255.255.0
    peer ip address 10.10.204.3 255.255.255.0
    access-group input EVERYONE
    nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat
    service-policy input NAT_EMAIL
    no shutdown
    interface vlan 215
    description WebDMZ External Interface
    ip address 10.10.215.11 255.255.255.0
    alias 10.10.215.10 255.255.255.0
    peer ip address 10.10.215.12 255.255.255.0
    access-group input EXTERNAL
    nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat
    nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat
    service-policy input Management-Policy
    service-policy input VIPS
    service-policy input NAT
    no shutdown
    I tested from a host in 10.10.204.x to 10.10.215.210 but it didn't work. I tested to the 10.10.215.210
    from the outside(vlan215) and it does work, so i know the VIP works and is taking connections.

  • ASA GNS3 project working

    Hi,
    Does anyone have a ASA GNS3 working project?
    I configured one, but i´m not having very sucess in making things work. I´m following Cisco matterials, but very strangly, simple things dont work.
    So I need to know what the problem is, my instalation of asa, my installation of gns3 or my skills.
    Kind Regards,
    António

    Hi Jouni,
    At this moment I´m experiencing a problem with NAT. Can you checks this plz?
    Network Diagram:
    ASA configs:
    : Saved
    : Written by enable_15 at 19:26:55.559 UTC Wed Sep 4 2013
    ASA Version 8.4(2)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface GigabitEthernet0
    nameif outside
    security-level 0
    ip address 62.28.190.66 255.255.255.252
    interface GigabitEthernet1
    shutdown
    no nameif
    security-level 0
    no ip address
    interface GigabitEthernet2
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet3
    nameif dmz
    security-level 70
    ip address 192.168.100.254 255.255.255.0
    interface GigabitEthernet4
    nameif inside
    security-level 100
    ip address 192.168.200.254 255.255.255.0
    interface GigabitEthernet5
    shutdown
    no nameif
    no security-level
    no ip address
    no ftp mode passive
    object network Net-Inside
    subnet 192.168.200.0 255.255.255.0
    object network Net-Dmz
    subnet 192.168.100.0 255.255.255.0
    object network webserver-dmz
    host 192.168.100.1
    access-list OUTSIDE_DMZ_WEB extended permit tcp any host 192.168.100.1 eq www
    access-list OUTSIDE_DMZ_WEB extended permit tcp any host 192.168.100.1 eq https
    access-list OUTSIDE_DMZ_WEB extended permit tcp any host 192.168.100.1 eq whois
    access-list OUTSIDE_DMZ_WEB extended permit icmp any host 192.168.100.1
    pager lines 24
    mtu outside 1500
    mtu dmz 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-702.bin
    no asdm history enable
    arp timeout 14400
    object network Net-Inside
    nat (inside,outside) dynamic interface
    object network Net-Dmz
    nat (dmz,outside) dynamic interface
    object network webserver-dmz
    nat (dmz,outside) static interface service tcp www www
    access-group OUTSIDE_DMZ_WEB in interface outside
    route outside 10.0.0.0 255.255.255.0 62.28.190.65 1
    route inside 192.168.15.0 255.255.255.0 192.168.200.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    no snmp-server location
    no snmp-server contact
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    no threat-detection basic-threat
    no threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    crashinfo save disable
    Cryptochecksum:cb29abf617f52ce87c186e7aacc36cb5
    : end
    Packet tracer for ICMP from outside to DMZ
    Packet tracer for HTTP from outside to DMZ will be post in message the insert picture crasshed.

  • How to configure DMZ access for ftp/https without NAT

                     I have a closed network that is not connnected to the internet, just other sites that we want to communicate with.  We have a cisco router connected to the outside interface on an ASA5505 and a cisco router connected to the inside interface on the same ASA5505.  I have an inside interface that connects our management LAN, five separate DMZ interfaces with a separate LAN (VLAN) on each DMZ interface and the outside interface that connects to the other sites.  Data is not allowed to mingle between the five DMZ's. 
    Alll connections to the other separate nodes are handled with the router on the external interface.  IPSEC GRE tunnels have been established between all sites and BGP routing has been verified.  Pings are good between inside, dmz and external interfaces and between the DMZ's and the other sites, to include hosts on our local networks and hosts at the remote sites.  Inter and intra traffic is enabled.
    When a remote site attempts an https connection, the initial ACK handshake makes it through the ASA5505, but the return SYN/ACK is being knocked down and I don't understand why (it is not because of ACL's, they are any any at this point).
    Looking for some ideas on why the return SYN/ACK to the remote site isn't getting through the ASA5505 outbound.  Will probably have the same issue with FTP, but right now, just trying to solve one problem at a time.
    ASA5505 is in routed mode, not looking to NAT since the IP addresses in the DMZ need to be reached by their real IP address.
    Thanks,

    When I use the packet-trace in both directions with the endpoint IP's, it works, all phases show allowed.   I see the hits against the ACL's that show the packet entry in to the outside interface of the ASA, the build up of the connection so the initial step of the external host ACK is reaching the webserver in the DMZ.  I see the hits against the incoming DMZ interface from the web server and then the log shows that the SYN,ACK is not in the state table and drops the outgoing packet.  Since no outgoing SYN/ACK, no three way handshake, not login prompt, no web page to the endpoint.
    I even changed the security settings on the outside interface to match the DMZ, enabled the inter and intra connections and that didn't work.  ACL's on the incoming and outgoing outside and DMZ interfaces have any any tcp and any any ip but still the same result.
    DMZ hosts point to the ASA.  ASA points to external router on the outside interface.  Pings all work fine.  Tried ACL's at the top with port 443, but no hits on that.  Even tried bypass with the same result.  The initial packet from the external host doesn't seem to enter the state table so that when the host sends the reply (SYN/ACK) the ASA knocks it down.
    Also tried twice NAT with static source/destination/port so that what comes in should be what is sent to the DMZ.
    If I understand this device, I should have a rule that lets traffic in the outside interface from the external networks, a rule that allows DMZ traffic out the outside interface, a rule that allows external traffic in the DMZ and a rule that allows DMZ internal traffic back out to the external interface.
    Still fuzzy on exactly how the data goes between the outside and the DMZ interfaces. 
    Is there something else I need to do or define to use HTTPS?  I see that HTTP is defined and also has inspection rules.
    I can try the captures tomorrow at work.
    Thanks, for any pointers you can provide me.
    Peyton
    This is my first, painful experience with the ASA. 

  • Static NAT refresh and best practice with inside and DMZ

    I've been out of the firewall game for a while and now have been re-tasked with some configuration, both updating ASA's to 8.4 and making some new services avaiable. So I've dug into refreshing my knowledge of NAT operation and have a question based on best practice and would like a sanity check.
    This is a very basic, I apologize in advance. I just need the cobwebs dusted off.
    The scenario is this: If I have an SQL server on an inside network that a DMZ host needs access to, is it best to present the inside (SQL server in this example) IP via static to the DMZ or the DMZ (SQL client in this example) with static to the inside?
    I think its to present the higher security resource into the lower security network. For example, when a service from the DMZ is made available to the outside/public, the real IP from the higher security interface is mapped to the lower.
    So I would think the same would apply to the inside/DMZ, making 'static (inside,dmz)' the 'proper' method for the pre 8.3 and this for 8.3 and up:
    object network insideSQLIP
    host xx.xx.xx.xx
    nat (inside,dmz) static yy.yy.yy.yy
    Am I on the right track?

    Hello Rgnelson,
    It is not related to the security level of the zone, instead, it is how should the behavior be, what I mean is, for
    nat (inside,dmz) static yy.yy.yy.yy
    - Any traffic hitting translated address yy.yy.yy.yy on the dmz zone should be re-directed to the host xx.xx.xx.xx on the inside interface.
    - Traffic initiated from the real host xx.xx.xx.xx should be translated to yy.yy.yy.yy if the hosts accesses any resources on the DMZ Interface.
    If you reverse it to (dmz,inside) the behavior will be reversed as well, so If you need to translate the address from the DMZ interface going to the inside interface you should use the (dmz,inside).
    For your case I would say what is common, since the server is in the INSIDE zone, you should configure
    object network insideSQLIP
    host xx.xx.xx.xx
    nat (inside,dmz) static yy.yy.yy.yy
    At this time, users from the DMZ zone will be able to access the server using the yy.yy.yy.yy IP Address.
    HTH
    AMatahen

  • Is there a difference between NAT Traversal & NAT Transparency?

    What is the difference between NAT Traversal & NAT Transparency?
    And does (NAT-T) refers to NAT Traversal or NAT Transparency?

    As in, how the screen's pixels display colors?  No, there shouldn't be any difference.

  • ASA5515 v8.6(1)2 NAT dmz public server

    Could I get a validation that this config is correct in that it allows inbound access to the web server
    and that I should be able to ping it from my inside interface.
    I tried to use the example code from Cisco DocID: 115904 for DMZ WebServer, but I found the
    object NAT parts did not work with my 8.6 IOS so I modified them as shown in my config.
    Example from 115904 doc.
    object network WebServerPublic
    host 24.25.26.80
    object network WebServerPrivate
    host 192.168.1.80
    nat(dmz,outside) static WebServerPublic service tcp www www ---> this does not code
    With the below code I do not get a ping reply sourcing from a 10.1.0.X host to 192.168.1.80 web server.
    And I cannot browse in from the outside to it either.
    I do see the MAC for 192.168.1.80 in the ASA's arp cache for the dmz interface.
    The web server is on a VMware ESX environment and I'm not sure it is set up correctly.
    ASA Version 8.6(1)2
    hostname A5515
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 24.25.26.254 255.255.255.240
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 10.1.0.252 255.255.240.0
    interface GigabitEthernet0/2
    nameif dmz
    security-level 50
    ip address 192.168.1.254 255.255.255.0
    object network N_OBJ_10.1.0.0_20
    subnet 10.1.0.0 255.255.240.0
    object network N_OBJ_10.24.0.0_18
    subnet 10.24.0.0 255.255.192.0
    object network DNSServer
    host 10.24.0.86
    object network WebServerPrivate
    host 192.168.1.80
    object network WebServerPublic
    host 24.25.26.246
    object network N_OBJ_DMZ_24
    subnet 192.168.1.0 255.255.255.0
    object-group network CampusNetworks
    network-object 10.1.0.0 255.255.240.0
    network-object 10.24.0.0 255.255.192.0
    access-list outside_access_in extended permit tcp any object WebServerPrivate eq https
    access-list outside_access_in extended permit tcp any object WebServerPrivate eq www
    access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks echo-reply
    access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks unreachable
    access-list dmz_access_in extended permit icmp object WebServerPrivate object-group CampusNetworks time-exceeded
    access-list dmz_access_in extended permit udp any object DNSServer eq domain
    access-list dmz_access_in extended deny ip any object-group CampusNetworks
    access-list dmz_access_in extended permit ip any any
    nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface
    nat (dmz,outside) source static WebServerPrivate WebServerPublic
    nat (inside,dmz) source static CampusNetworks CampusNetworks
    nat (inside,outside) after-auto source dynamic CampusNetworks interface
    access-group outside_access_in in interface outside
    access-group dmz_access_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 24.25.26.241 1
    route inside 10.24.0.0 255.255.192.0 10.1.0.254 1
    Thanks

    Hi,
    You have some conflicting NAT configurations
    For example you have this
    nat (dmz,outside) source dynamic N_OBJ_DMZ_24 interface
    This overrides your Static PAT configuration that you are trying to achieve
    Also one note regarding one of your NAT configurations
    nat (inside,dmz) source static CampusNetworks CampusNetworks
    You dont need NAT between local interfaces. No nat is done by default. So the traffic between "dmz" and "inside" should go trough untranslated without any need for NAT configurations.
    If you want, you could change your current configurations to the following. Note that you would have to remove your existing NAT configurations.
    object-group network DEFAULT-PAT-SOURCE
    network-object 10.1.0.0 255.255.240.0
    network-object 10.24.0.0 255.255.192.0
    network-object 192.168.1.0 255.255.255.0
    nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
    The above configuration handles the Default PAT for all your networks. Both "dmz" and "inside".
    object network WEB-SERVER
    host 192.168.1.80
    nat (dmz,outside) static interface service tcp 80 80
    access-list outside_access_in permit tcp any object WEB-SERVER eq 80
    access-list outside_access_in permit tcp any object WEB-SERVER eq 443
    The above does the Static PAT (or Port Forward) for your DMZ server and allows the traffic on the ACL.
    - Jouni

Maybe you are looking for

  • Looking for leather holster case large enough to hold iPhone 4 with wireless keyboard attached to it.  Needs to hook to belt.

    Is anyone aware of a leather holster that is big enough to accommodate the iPhone 4 with the wireless keyboard attached to it?  Needs to be able to be clipped to a belt.  Thank you.

  • Issues with a PDF Form

    I have a few concerns regarding the attached image.  I created a form in LC ES2 and saved as a PDF. When I click in the "Hours" and "Notes" column, it displays a drop-down list box. I would like to eliminate the drop-down list box from both columns.

  • "Receive Email Notifications" not working correctly?

    Not a Snow Leopard question, but I don't know where else to post this. I seem to be receiving email notifications for * every * topic in this forum.  My email notification preferences are set for only limited notifications -- i.e., threads I want to

  • IPod stuck on folder with exclamation point

    My iPod suddenly stopped working and started showing me the apple logo and the folder with the exclamation point over and over again. I have uninstalled all software, reinstalled, followed everything in the trouble-shooting section on this site. I ha

  • Calculating WIP (Work in Progress) for Sales

    How do I run through the standard process of creating sales order with the Bought-in Item category (YBAB), do my delivery based on the sales order order, invoice for quantity delivered (VF01) and at the same time be able to calculate Work in Progress