In a previous lesson I explained how to configure dynamic NAT from the inside to the outside. In this lesson we add a DMZ and some more NAT translations. Here’s the topology that we will use:
In this example we have our INSIDE, OUTSIDE and DMZ interfaces. The security levels of these interfaces are:
- INSIDE: 100
- OUTSIDE: 0
- DMZ: 50
We can go from a “high” security level to a “low” security level so this means that hosts from the INSIDE can reach the DMZ and OUTSIDE. Hosts from the DMZ will also be able to reach the OUTSIDE. We will configure NAT for the following traffic patterns:
- Traffic from hosts on the INSIDE to the OUTSIDE, we’ll use a “public” pool for this.
- Traffic from hosts on the INSIDE to the DMZ, we’ll use a “DMZ” pool for this.
- Traffic from hosts on the DMZ to the OUTSIDE, we’ll use the same public pool for this.
Here’s what a visualization of these NAT rules look like:
Let’s start by configuring the interfaces:
ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# int e0/2
ASA1(config-if)# nameif DMZ
ASA1(config-if)# security-level 50
ASA1(config-if)# ip address 192.168.3.254 255.255.255.0
ASA1(config-if)# no shutdown
The INSIDE and OUTSIDE security levels have a default value, the DMZ I configured to 50 myself. Now let’s look at the dynamic NAT configuration…
Dynamic NAT with three Interfaces
First we will create the pools:
ASA1(config)# object network PUBLIC_POOL
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200
ASA1(config)# object network DMZ_POOL
ASA1(config-network-object)# range 192.168.3.100 192.168.3.200
I will use a range of IP addresses from the subnet that is configured on the OUTSIDE and DMZ interface. Now we can create some network objects for the NAT translations:
Accidentally, I have to implement a DMZ configuration on an outdated and unmaintained ASA 5510 firewall (ASA version 8.0(3)6, ASDM version 6.0). After diving into the manual and some forum posts, I’ve learned that there was a major CLI syntax change with a the 8.3 firmware.
Unfortunately, I have to implement the following config on this old CLI version, where I have three interfaces:
inside 192.168.10.1 255.255.255.0
outside 1.2.3.4 255.255.255.0 (example…)
DMZ 172.28.0.1 255.255.255.0
The DMZ has one host, a web server at 172.28.0.15
I have three objectives to
... Continue reading in our forumHi Zaman,
Here’s how it works:
This basically does two things:
We use this so a server on the INS
... Continue reading in our forumby default FW allow from Inside to DMZ, so that means I am from Inside network and I can RDP to my windows server in DMZ. it can be bad in some cases,
and if I want to block RDP from Inside to DMZ I will need to configure and access list?
Thank you
Thanx again Laz!
I will try this again tomorrow on Devnet rather than GNS3.
Kind Regards
Frank