Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: traffic between inside and dmz

traffic between inside and dmz 8 years 1 month ago #27713

  • sys-halt
  • sys-halt's Avatar
  • Offline
  • Frequent Member
  • Posts: 68
  • Karma: 0
hii all, I want to allow normal traffic from inside to dmz, traffic such as RDP, Telnet, Ping and such things.

Here is my basic ASA config:
[code:1]
interface Vlan3
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan4
nameif dmz1
security-level 20
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz1) 1 0.0.0.0 0.0.0.0
[/code:1]

how I could allow the traffic to pass from inside to dmz1?
I tried such thing:
global (dmz1) 2 interface
nat (inside) 2 0 0 or 172.16.1.0 255.255.255.0

but the problem I faced is that:
1. it says sometimes duplicate NAT entry
2. if the traffic from inside to dmz1 works the internet stops on the inside and if the internet is working the traffic from inside to dmz1 like doing rdp stops.

I know the problem in the nat statement I made between inside and dmz1 and it is riding over my "nat (inside) 1 0 0" statement which is leading to internet blocking.

I hope if you could show me the mistake I am making and how I could fix this and make the traffic between inside and dmz1 works fine in addition to the Internet access.

thanks in advance.
The administrator has disabled public write access.

Re: traffic between inside and dmz 8 years 1 month ago #27714

  • Patiot
  • Patiot's Avatar
  • Offline
  • Frequent Member
  • Posts: 45
  • Karma: 0
Hello sys-halt ,

It is indeed correct ,

global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz1) 1 0.0.0.0 0.0.0.0
global (dmz1) 2 interface
nat (inside) 2 0 0

should work .

But if you want you can configure the following setup for a bidirectional traffic . No translation occurs going from inside to dmz1.

static (inside,dmz1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

For unidirectional traffic just from inside --->dmz1 .

static (inside,dmz1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-list dmz1_acl deny ip any 192.168.2.0 255.255.255.0
access-list dmz1_acl permit ip any any
access-group dmz1_acl in interface dmz1

Please let me know if this helps .

Thanks
Patiot
The administrator has disabled public write access.

Re: traffic between inside and dmz 8 years 1 month ago #27715

  • sys-halt
  • sys-halt's Avatar
  • Offline
  • Frequent Member
  • Posts: 68
  • Karma: 0
hi patiot, thanks for your quick help. I wonder if you could explain to me why I got the statement 'Duplicate NAT entry" when I did the "nat (inside) 2 0 0" and when I reloaded the ASA it stopped natting my inside interface to the internet and allowed the traffic from inside to dmz1.

here is the scenarios I tried today:
[code:1]
global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz1) 2 interface
nat (inside) 2 0 0
[/code:1]

It will say "duplicate nat entry" once I typed "nat (inside) 2 0 0"

If I changed it to "nat (inside) 2 172.16.1.0 255.255.255.0" it will accept it, but the problem starts when I reload the ASA, it will block the first nat, "nat (inside) 1 0.0.0.0 0.0.0.0" and allow the second nat to work "nat (inside) 2 172.16.1.0 255.255.255.0"

If I did the opposite:
[code:1]
global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 172.16.1.0 255.255.255.0
global (dmz1) 2 interface
nat (inside) 2 0 0
[/code:1]

the ASA will allow my inside interface to go out to the internet and deny traffic from inside to dmz1.

Is this behavior normal. and that I am missing something or misunderstand it?

I was looking for your first suggestion, the no translation usage, I read about it before but didn't understand it. I appreciate your explanation, it is clear now to me how to put the static syntax.

I will of course try the code soon and get back with the result.
The administrator has disabled public write access.

Re: traffic between inside and dmz 8 years 1 month ago #27724

  • Patiot
  • Patiot's Avatar
  • Offline
  • Frequent Member
  • Posts: 45
  • Karma: 0
yes you will not be able to nat the same pool of ip`s twice .

The statics would be the best bet .

or NAT 0

The following configuration says do not translate while going from inside to dmz1 ( i am not sure of the your ip`s , so I have said x instead of your ip`s )

nat (inside) 0 access-list no_nat

access-list no_nat permit ip 192.168.x.x 255.255.255.0 172.x.x.x 255.255.255.0
The administrator has disabled public write access.

Re: traffic between inside and dmz 8 years 1 month ago #27728

  • sys-halt
  • sys-halt's Avatar
  • Offline
  • Frequent Member
  • Posts: 68
  • Karma: 0
hii patiot, I did apply the static statement instead of using the NAT 0 with ACLs. it is working fine for now I tired it and things are working well.

[code:1]
static (inside,dmz1) 192.168.2.0 192.168.2.0 netmask 255.255.255.255
[/code:1]

thanks for the help, now my inside network can nat outside and access the dmz1 at the same time.

thanks again
The administrator has disabled public write access.

Re: traffic between inside and dmz 8 years 1 month ago #27752

  • Patiot
  • Patiot's Avatar
  • Offline
  • Frequent Member
  • Posts: 45
  • Karma: 0
You are welcome
The administrator has disabled public write access.
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup