Cisco ASA Dynamic NAT with DMZ

In a previous lesson I explained how to configure dynamic NAT from the inside to the outside. In this lesson we add a DMZ and some more NAT translations. Here’s the topology that we will use:

ASA1 Inside Outside DMZ

In this example we have our INSIDE, OUTSIDE and DMZ interfaces. The security levels of these interfaces are:

  • INSIDE: 100
  • OUTSIDE: 0
  • DMZ: 50

We can go from a “high” security level to a “low” security level so this means that hosts from the INSIDE can reach the DMZ and OUTSIDE. Hosts from the DMZ will also be able to reach the OUTSIDE. We will configure NAT for the following traffic patterns:

  • Traffic from hosts on the INSIDE to the OUTSIDE, we’ll use a “public” pool for this.
  • Traffic from hosts on the INSIDE to the DMZ, we’ll use a “DMZ” pool for this.
  • Traffic from hosts on the DMZ to the OUTSIDE, we’ll use the same public pool for this.

Here’s what a visualization of these NAT rules look like:

ASA1 inside outside dmz nat translationsLet’s start by configuring the interfaces:

ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# int e0/2
ASA1(config-if)# nameif DMZ
ASA1(config-if)# security-level 50
ASA1(config-if)# ip address 192.168.3.254 255.255.255.0
ASA1(config-if)# no shutdown

The INSIDE and OUTSIDE security levels have a default value, the DMZ I configured to 50 myself. Now let’s look at the dynamic NAT configuration…

Dynamic NAT with three Interfaces

First we will create the pools:

ASA1(config)# object network PUBLIC_POOL
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200
ASA1(config)# object network DMZ_POOL
ASA1(config-network-object)# range 192.168.3.100 192.168.3.200

I will use a range of IP addresses from the subnet that is configured on the OUTSIDE and DMZ interface. Now we can create some network objects for the NAT translations:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 657 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

541 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene

    As far as I know, by default, ASA will block all traffics from lower into higher area.
    In this example, I can’t ping from R1 to 192.168.2.2 and 192.168.3.3 but I can telnet to them.
    Why is it?

    If we dont create the access-list something like below:

    access-list inside-in extended permit ip any any
    access-list outside-in extended permit ip any any
    access-list dmz-in extended permit ip any any
    
    access-group inside-in in interface INSIDE
    access-group outside-in in interface OUTSIDE
    access-group dmz-in in interface DMZ
    

    I cant ping to them!

    Thank you!

  2. Hi Rene

    I have the situation quite like your example.
    In your example, DMZ zone was assigned public IP, We can access from R1 to R3 (via NAT INSIDE_TO_DMZ) and R2 (via INSIDE_TO_OUTSIDE).
    If DMZ zone was assigned private IP address, DMZ want to public (need public ip range from outside interface), we use static nat or port forwarding to point to real server by private IP and some access-list on ASA1 then OUTSIDE can access DMZ.
    But How can INSIDE access to DMZ via public IP?

    Thanks

  3. Hi Zaman,

    Here’s how it works:

    ASA1(config)# object network SERVER
    ASA1(config-network-object)# host 192.168.1.1
    ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static 192.168.2.200
    

    This basically does two things:

    • When a packet enters the INSIDE and exits the OUTSIDE, and the source IP address is 192.168.1.1 then we translate the source address to 192.168.2.200.
    • When a packet enters the OUTSIDE and exits the INSIDE, and the destination IP address is 192.168.2.200 then we translate the destination address to 192.168.1.1.

    We use this so a server on the INS

    ... Continue reading in our forum

  4. by default FW allow from Inside to DMZ, so that means I am from Inside network and I can RDP to my windows server in DMZ. it can be bad in some cases,
    and if I want to block RDP from Inside to DMZ I will need to configure and access list?

    Thank you

  5. Thanx again Laz!
    I will try this again tomorrow on Devnet rather than GNS3.
    Kind Regards
    Frank

32 more replies! Ask a question or join the discussion by visiting our Community Forum