Professional Documents
Culture Documents
In previous lessons I explained how you can use dynamic NAT or PAT so that your hosts or
servers on the inside of your network are able to access the outside world. This is great but its
only for outbound traffic or in ASA terminologytraffic from a higher security level going to
a lower security level.
What if an outside host on the Internet wants to reach a server on our inside or DMZ? This is
impossible with only dynamic NAT or PAT. When we want to achieve this we have to do two
things:
Imagine that R1 is a webserver on the DMZ while R2 is some host on the Internet that wants to
reach our webserver. Lets configure our firewall so that this is possible
The configuration above tells the ASA that whenever an outside device connects to IP address
192.168.2.200 that it should be translated to IP address 192.168.1.1. This takes care of NAT but
we still have to create an access-list or traffic will be dropped:
ASA1(config)# access-list OUTSIDE_TO_DMZ extended permit tcp any host
192.168.1.1
The access-list above allows any source IP address to connect to IP address 192.168.1.1. When
using ASA version 8.3 or later you need to specify the real IP address, not the NAT
translated address. Lets activate this access-list:
ASA1(config)# access-group OUTSIDE_TO_DMZ in interface OUTSIDE
This enables the access-list on the outside interface. Lets telnet from R2 to R1 on TCP port 80 to
see if it works:
R2#telnet 192.168.2.200
Trying 192.168.2.200 ... Open
Great, we are able to connect from R2 to R1, lets take a look at the ASA to verify some things:
ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.1.1 to OUTSIDE:192.168.2.200
flags s idle 0:08:44 timeout 0:00:00
ASA1# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_TO_DMZ; 1 elements; name hash: 0xe96c1ef3
access-list OUTSIDE_TO_DMZ line 1 extended permit tcp any host 192.168.1.1 eq
www (hitcnt=6) 0x408b914e
Above you can see the static NAT entry and also the hit on the access-list. Everything is working
as it is supposed to be.
The
topology above is the exact same as the previous example but I have added R3 to the DMZ. Now
imagine that our ISP gave us a pool of IP addresses, lets say 10.10.10.0 /24. We can use this pool
to translate all the servers in the DMZ, let me show you how: