Tags: ,


Notable Replies

  1. Hi Asi,

    The first statement tells the ASA that a device with IP address 192.168.1.1 on the DMZ has to be translated to 192.168.2.200 which is on the outside. On the interfaces we configured to which security-zone it belongs (INSIDE, DMZ or OUTSIDE).

    The direction doesn’t matter…from the outside you can connect to 192.168.2.200 and it will be translated to 192.168.1.1. When 192.168.1.1 initiates traffic that goes from DMZ > outside then it also gets translated to 192.168.2.200. The only thing the ASA cares about is what to translate.

    The same thing applies to the second statement except that the first time when traffic goes from DMZ to OUTSIDE, an IP address from the pool is selected. When the translation is in place, you can also connect from the outside to the pool address if you want…the ASA only cares about what to translate.

    Rene

  2. Thanks Rene . I have sorted out the issue when capturing the packet.Many Thanks

  3. Hello Naila

    Let’s look again at the example that Rene was referring to:

    ASA1(config)# object network WEB_SERVER
    ASA1(config-network-object)# host 192.168.1.1
    ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200
    

    This statement will cause a translation from host 192.168.1.1 which is on the DMZ to be translated to a static external IP address of 192.168.2.200. This translation functions both ways, meaning that when 192.168.1.1 communicates with devices on the outside, the source address of this communication will be translated to 192.168.2.200, and when any outside devices communicate with 192.168.2.200, this destination address will be translated to 192.168.1.1.

    This does not mean that we can switch the DMZ and OUTSIDE keywords in the NAT command and get the same result. The results will indeed be different.

    For example, if the following was configured;

    ASA1(config)# object network WEB_SERVER
    ASA1(config-network-object)# host 192.168.1.1
    ASA1(config-network-object)# nat (OUTSIDE, DMZ) static 192.168.2.200
    

    This statement will cause a translation from host 192.168.1.1 which is on the OUTSIDE to be translated to a static IP address of 192.168.2.200 on the DMZ. This means that when 192.168.1.1 communicates with devices on the DMZ, the source address of this communication will be translated to 192.168.2.200, and when any DMZ devices communicate with 192.168.2.200, this destination address will be translated to 192.168.1.1.

    I hope this has been helpful!

    Laz

  4. Hello

    nat (outside,inside_1) source static any any destination static interface inside-server service RDP-33320 RDP-3389 no-proxy-arp

    Can you please explain this NAT rule?

    I have already ask you guys below question in different forum. I don’t know where. It works through above NAT rule only.

    We are configuring new ASA 5506 and this is our topology.
    we are having some serious issue to access remote desktop from outside.

    nat (any,outside) source dynamic any-inside-networks interface description Allow Inside to Ouside

    we use above rule to allow internet from inside to outside and it works and It is at number 1 in NAT rules.

    Now we have few server that we would like to access from outside so we were trying to open ports.
    we create network object NAT rules and access-lists for that for some reason it didn’t work so we create manual NAT before network object NAT rules. It only works when It is at number 1. That’s fine but than our internet stops working.

    So we don’t have any idea what we are doing wrong.

    If some can help me ASAP because we are planning to deploy ASAP

Continue the discussion forum.networklessons.com

37 more replies!

Participants