Best way to do multiple NAT statements on ASA
in [Cisco]
|
Prev: WTR54gs Dropping Connection
Next: Cisco PIX 501 - VPNC connections blocked from internal lan to externalend-point
From: Andrew Hodgson on 25 Jun 2010 17:09 Hi, I have 3 DMZs and an inside network. Inside network is 192.168.1.0/24, DMZ1 is 192.168.2.0/24, DMZ2 is 3.0/24, and DMZ 3 is 4.0/24. I want all networks to be able to talk to each other without NAT (there will be ACLs however). Currently I have NAT statements like this: static (inside,dmz1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 static (inside,dmz2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 static (inside,dmz3) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 These allow any host from 192.168.1.0/24 to talk to the DMZs (ACL permitting of course). However, what is the most efficient way to get all the DMZs talking to each other without NAT? Do I have to use commands like: static (dmz1,dmz2) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 static (dmz1,dmz3) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 static (dmz2,dmz1) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 static (dmz2,dmz3) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 static (dmz3,dmz1) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 static (dmz3,dmz2) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 Is there a more efficient or secure way? Thanks. Andrew.
From: Morph on 25 Jun 2010 17:22 In the message <ac6a26pgsbvdid7kgr586g5kvqsks5707q(a)news.giganews.com> Andrew Hodgson wrote: | I have 3 DMZs and an inside network. | | Inside network is 192.168.1.0/24, DMZ1 is 192.168.2.0/24, DMZ2 is | 3.0/24, and DMZ 3 is 4.0/24. | | I want all networks to be able to talk to each other without NAT | (there will be ACLs however). | | Currently I have NAT statements like this: | However, what is the most efficient way to get all the DMZs talking to | each other without NAT? Do I have to use commands like: | Is there a more efficient or secure way? You can disable the nat control feature. The command is: no nat-control After this you don't need to have nat statements for traffic that goes from one interface to another.
From: Igor Mamuzić aka Pseto on 13 Jul 2010 11:07
On 25.6.2010. 23:09, Andrew Hodgson wrote: > Hi, > > I have 3 DMZs and an inside network. > > Inside network is 192.168.1.0/24, DMZ1 is 192.168.2.0/24, DMZ2 is > 3.0/24, and DMZ 3 is 4.0/24. > > I want all networks to be able to talk to each other without NAT > (there will be ACLs however). > > > The best way is to use no nat-control command, so that firewall doesn't require NAT between network segments. However, if you need to use NAT from your LAN to the Internet for example then you must (despite 'no nat-control') apply NAT /identity NAT / NAT exception rule to that traffic going to any lower security level interfaces. So, in your case it's best to use nat 0 (nat exception) for traffic flowing between your network segments. I think that you even can try to use same security level for all DMZs to avoid need for NAT, but I'm not sure about it, but doing that you loose ASA's ability to filter traffic without configuring giant access-lists. Igor |