- Posts: 68
- Thank you received: 0
traffic between inside and dmz
16 years 1 month ago #27713
by sys-halt
traffic between inside and dmz was created by sys-halt
hii all, I want to allow normal traffic from inside to dmz, traffic such as RDP, Telnet, Ping and such things.
Here is my basic ASA config:
[code:1]
interface Vlan3
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan4
nameif dmz1
security-level 20
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz1) 1 0.0.0.0 0.0.0.0
[/code:1]
how I could allow the traffic to pass from inside to dmz1?
I tried such thing:
global (dmz1) 2 interface
nat (inside) 2 0 0 or 172.16.1.0 255.255.255.0
but the problem I faced is that:
1. it says sometimes duplicate NAT entry
2. if the traffic from inside to dmz1 works the internet stops on the inside and if the internet is working the traffic from inside to dmz1 like doing rdp stops.
I know the problem in the nat statement I made between inside and dmz1 and it is riding over my "nat (inside) 1 0 0" statement which is leading to internet blocking.
I hope if you could show me the mistake I am making and how I could fix this and make the traffic between inside and dmz1 works fine in addition to the Internet access.
thanks in advance.
Here is my basic ASA config:
[code:1]
interface Vlan3
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan4
nameif dmz1
security-level 20
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz1) 1 0.0.0.0 0.0.0.0
[/code:1]
how I could allow the traffic to pass from inside to dmz1?
I tried such thing:
global (dmz1) 2 interface
nat (inside) 2 0 0 or 172.16.1.0 255.255.255.0
but the problem I faced is that:
1. it says sometimes duplicate NAT entry
2. if the traffic from inside to dmz1 works the internet stops on the inside and if the internet is working the traffic from inside to dmz1 like doing rdp stops.
I know the problem in the nat statement I made between inside and dmz1 and it is riding over my "nat (inside) 1 0 0" statement which is leading to internet blocking.
I hope if you could show me the mistake I am making and how I could fix this and make the traffic between inside and dmz1 works fine in addition to the Internet access.
thanks in advance.
16 years 1 month ago #27714
by Patiot
Replied by Patiot on topic Re: traffic between inside and dmz
Hello sys-halt ,
It is indeed correct ,
global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz1) 1 0.0.0.0 0.0.0.0
global (dmz1) 2 interface
nat (inside) 2 0 0
should work .
But if you want you can configure the following setup for a bidirectional traffic . No translation occurs going from inside to dmz1.
static (inside,dmz1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
For unidirectional traffic just from inside --->dmz1 .
static (inside,dmz1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-list dmz1_acl deny ip any 192.168.2.0 255.255.255.0
access-list dmz1_acl permit ip any any
access-group dmz1_acl in interface dmz1
Please let me know if this helps .
Thanks
Patiot
It is indeed correct ,
global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz1) 1 0.0.0.0 0.0.0.0
global (dmz1) 2 interface
nat (inside) 2 0 0
should work .
But if you want you can configure the following setup for a bidirectional traffic . No translation occurs going from inside to dmz1.
static (inside,dmz1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
For unidirectional traffic just from inside --->dmz1 .
static (inside,dmz1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-list dmz1_acl deny ip any 192.168.2.0 255.255.255.0
access-list dmz1_acl permit ip any any
access-group dmz1_acl in interface dmz1
Please let me know if this helps .
Thanks
Patiot
16 years 1 month ago #27715
by sys-halt
Replied by sys-halt on topic Re: traffic between inside and dmz
hi patiot, thanks for your quick help. I wonder if you could explain to me why I got the statement 'Duplicate NAT entry" when I did the "nat (inside) 2 0 0" and when I reloaded the ASA it stopped natting my inside interface to the internet and allowed the traffic from inside to dmz1.
here is the scenarios I tried today:
[code:1]
global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz1) 2 interface
nat (inside) 2 0 0
[/code:1]
It will say "duplicate nat entry" once I typed "nat (inside) 2 0 0"
If I changed it to "nat (inside) 2 172.16.1.0 255.255.255.0" it will accept it, but the problem starts when I reload the ASA, it will block the first nat, "nat (inside) 1 0.0.0.0 0.0.0.0" and allow the second nat to work "nat (inside) 2 172.16.1.0 255.255.255.0"
If I did the opposite:
[code:1]
global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 172.16.1.0 255.255.255.0
global (dmz1) 2 interface
nat (inside) 2 0 0
[/code:1]
the ASA will allow my inside interface to go out to the internet and deny traffic from inside to dmz1.
Is this behavior normal. and that I am missing something or misunderstand it?
I was looking for your first suggestion, the no translation usage, I read about it before but didn't understand it. I appreciate your explanation, it is clear now to me how to put the static syntax.
I will of course try the code soon and get back with the result.
here is the scenarios I tried today:
[code:1]
global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz1) 2 interface
nat (inside) 2 0 0
[/code:1]
It will say "duplicate nat entry" once I typed "nat (inside) 2 0 0"
If I changed it to "nat (inside) 2 172.16.1.0 255.255.255.0" it will accept it, but the problem starts when I reload the ASA, it will block the first nat, "nat (inside) 1 0.0.0.0 0.0.0.0" and allow the second nat to work "nat (inside) 2 172.16.1.0 255.255.255.0"
If I did the opposite:
[code:1]
global (outside) 1 x.y.z.1-x.y.z.3 netmask 255.255.255.x
nat (inside) 1 172.16.1.0 255.255.255.0
global (dmz1) 2 interface
nat (inside) 2 0 0
[/code:1]
the ASA will allow my inside interface to go out to the internet and deny traffic from inside to dmz1.
Is this behavior normal. and that I am missing something or misunderstand it?
I was looking for your first suggestion, the no translation usage, I read about it before but didn't understand it. I appreciate your explanation, it is clear now to me how to put the static syntax.
I will of course try the code soon and get back with the result.
16 years 1 month ago #27724
by Patiot
Replied by Patiot on topic Re: traffic between inside and dmz
yes you will not be able to nat the same pool of ip`s twice .
The statics would be the best bet .
or NAT 0
The following configuration says do not translate while going from inside to dmz1 ( i am not sure of the your ip`s , so I have said x instead of your ip`s )
nat (inside) 0 access-list no_nat
access-list no_nat permit ip 192.168.x.x 255.255.255.0 172.x.x.x 255.255.255.0
The statics would be the best bet .
or NAT 0
The following configuration says do not translate while going from inside to dmz1 ( i am not sure of the your ip`s , so I have said x instead of your ip`s )
nat (inside) 0 access-list no_nat
access-list no_nat permit ip 192.168.x.x 255.255.255.0 172.x.x.x 255.255.255.0
16 years 1 month ago #27728
by sys-halt
Replied by sys-halt on topic Re: traffic between inside and dmz
hii patiot, I did apply the static statement instead of using the NAT 0 with ACLs. it is working fine for now I tired it and things are working well.
[code:1]
static (inside,dmz1) 192.168.2.0 192.168.2.0 netmask 255.255.255.255
[/code:1]
thanks for the help, now my inside network can nat outside and access the dmz1 at the same time.
thanks again
[code:1]
static (inside,dmz1) 192.168.2.0 192.168.2.0 netmask 255.255.255.255
[/code:1]
thanks for the help, now my inside network can nat outside and access the dmz1 at the same time.
thanks again
Time to create page: 0.130 seconds