Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
2
Replies

Weird NAT issue on DMZ

Go to solution
tahscolony
Level 1
Level 1

‎06-20-2022 02:36 AM

We have an issue where if we do not use interface as source translated packet, it will not route to the inside interface. It is the translation for the public to private IP to the DMZ from outside. Outside to DMZ, no issues, but when the server tries to make a connection to an inside server, the packet hits the DMZ interface, and tries to get routed to the outside when using a regular NAT rule. When we change the rule to where the source address is -original-, it continues to work, but when the server reboots, it cannot re-establish a connection unless we set the source to the DMZ interface.

Rule that works,

nat (outside,DMZ) source static any interface destination static SFTP-Outside SFTP-Inside

 

Rule that quits working when changed to it when the server reboots.

nat (outside,DMZ) source static any any destination static SFTP-Outside SFTP-Inside

 

Do I need a second nat rule for the inside? If so what should it be?

 

nat (DMZ,inside) source static any interface destination static SFTP-Inside SFTP-Inside  ?




 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎06-20-2022 11:27 AM

nat (outside,DMZ) source static any interface destination static SFTP-Outside SFTP-Inside <- why this NAT? replace it with 

NAT(DMZ,outside) source static SFTP-Inside SFTP-Outside

since only the DMZ server is translate.

for DMZ to Inside you need 

 

nat (Inside,DMZ) source static any any destination static SFTP-Inside SFTP-Inside  route-lockup <- this noNAT which make client in Inside can connect to DMZ private IP address.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
MHM Cisco World
VIP
VIP

‎06-20-2022 11:27 AM

nat (outside,DMZ) source static any interface destination static SFTP-Outside SFTP-Inside <- why this NAT? replace it with 

NAT(DMZ,outside) source static SFTP-Inside SFTP-Outside

since only the DMZ server is translate.

for DMZ to Inside you need 

 

nat (Inside,DMZ) source static any any destination static SFTP-Inside SFTP-Inside  route-lockup <- this noNAT which make client in Inside can connect to DMZ private IP address.

0 Helpful

Go to solution
tahscolony
Level 1
Level 1
In response to MHM Cisco World

‎06-20-2022 01:40 PM

Thats what I was missing! I have been away from ASA for far too long and forgot half of what I know.  I will see about getting a maintenance window and get them changed and tested. thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card