Static NAT

I have tried to resolve this problem on my own and I am in the need of help.

Inside Interface: 10.3.4.1 /24
DMZ Interface: 172.16.1.1 /16
Inside Host: 10.3.4.50 /24
DMZ ISS Server: 172.16.1.3 /16

I have a test lab setup with an ASA 5505. I want to access the IIS server in the DMZ on port 80.

I issued the following commands:

static (inside,dmz) 10.3.4.0 10.3.4.0 netmask 255.255.255.0
access-list dmz_int extended permit tcp host 172.16.1.3 host 10.3.4.50 eq www
access-group dmz_int in interface dmz

From the previous posts I am assuming the traffic from the Inside returning to the DMZ should be allowed because the inside has a higher secuity level, but it does not seem to work. Should I only need the static command if I want to access the IIS sever in the DMZ? I have tried various combinations of ACLs and I still can't get it to communicate. Any ideas?

You shouldn't need a static command if you are only trying to get it to work from the Inside to DMZ. Also, as you quite rightly said, this traffic should be allowed from high to low by default.

Have you configured your NAT correctly ? You should have something like;

[code:1]global (DMZ) 3 interface
nat (inside) 3 10.3.4.0 255.255.255.0
[/code:1]

This should work. You only need a static command, if you need to ensure that an internal host always i seen with the same nat'd address or if you want to communicate the other way (from the DMZ to Inside). For example, if you were publishing the web server to the internet then you would normally setup a static command to allow the traffic from the outside to the webserver;

[code:1]static (dmz,outside) tcp interface 80 172.16.3.1 80 255.255.255.255[/code:1]

Currently, I am only trying to get it to work from the inside to the DMZ, but in the long run I need to allow SMTP traffic from the DMZ to the inside network. What do you suggest?

To get it to work from DMZ to the Inside you will need a Static, i would suggest something like;

[code:1]static (inside,dmz) tcp 172.16.1.3 25 10.3.4.3 25 255.255.255.255 0 0[/code:1]

172.16.1.3 = server in DMZ
10.3.4.3 = server on internal

Cheers

Smurf,

You're going to love this (probably not). As you may have guessed, I have never configured any type of NAT on my ASA and I configured a lab with 2 PCs and an ASA 5505 for learning. You have given me a great deal of advice (thanks).

I have tried all of your solutions (and others) and none of them worked. I thought this was because my lack of knowledge with the ASA...

...It turns out that I set the default gateway on the IIS sever to .0 instead of .1! Can you believe that! I changed it and it works great. What a dumb mistake. I even looked those settings over before.

I was reading a Cisco doc and they said to configured access to the DMZ like so: "Create a static translation between the entire inside network and the DMZ: [code:1] static (inside,dmz) 10.1.6.0 10.1.6.0 netmask 255.255.255.0 [/code:1] and "Create a static translation to allow one inside host access to the DMZ" [code:1] static (inside,dmz) 10.1.6.100 10.1.6.100 [/code:1]

My new questions is, I thought the first line of code opened up anything on the 10.1.6.0 network to the DMZ? In either case, why would I have to translate the entire inside network to the DMZ and one specific host? Any thoughts?

Hi,

The first line of code is turning the nat'ing off on that subnet. If your DMZ is 10.1.6.0/24 then i beleive that the command will allow all traffic from 10.1.6.0/24 to not be translated.

The second line is similar but only for a single host 10.1.6.100. Therefore whenever you talk to this host, its address is not NAT'd and you always get the true address.

This is my understanding but i have never actually played with this.