Bi-Directional NAT using DMZ instead of Outside interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Bi-Directional NAT using DMZ instead of Outside interface

L3 Networker

The reason for this post is I'm collapsing 2 ASA that are configured one in front of the other into a single PANW firewall.  The DMZ interface on the inside ASA is technically treated as the "outside" interface.  All NAT is performed on this DMZ interface.  After the collapse, the DMZ interface will still exist but a true Outside interface will not be there.  NAT has to stay associated with the DMZ IP space because we only have a /30 for the Outside interface.

From reading the NAT Tech Note I think I understand this but wanted to run it by here just in case.

3 interfaces.  Assume these are the zone names as well:

Inside     192.168.0.1/24

DMZ        2.2.2.1/24

Outside    1.1.1.1/30

Wireless   172.16.0.1/24

DMZ addresses are public IPs.

DMZ has servers assigned with IPs in this address space.  The rest of the address space is used for bi-directional NAT.

Outside interface is the default route to the Internet.

Regular inside traffic going to the Internet is SNAT'ed via the Outside interface IP.

Wireless traffic going to the Internet uses a DMZ address for SNAT dynamic IP & port.

Creating a bi-directional NAT with the NAT address of 2.2.2.2 for internal server IP 192.168.0.2 would be:

                                                            Static

Src Zone     Src IP              Dst Zone     NAT IP (bi-drectional = yes)

Inside          192.168.0.2     DMZ            2.2.2.2

For the Wireless subnet SNAT using 2.2.2.3, it would be:

                                                           

Src Zone     Src IP               Dst Zone     NAT IP (dynamic IP & port)

Inside         172.16.0.1/24     DMZ            2.2.2.3

The Dst Zone would be DMZ because when the route lookup is performed, the closest route is the directly connected route for the DMZ interface.

The Security Policy allowing Internet traffic to reach the internal server would be:

Src Zone     Src IP            Dst Zone     Dst IP      Action

Outside       any                Inside          2.2.2.2     Allow

Inside         192.168.0.2     Outside       Any         Allow

The security policy for the Wireless traffic would be:

Src Zone     Src IP       Dst Zone     Dst IP     Action

Wireless      any           Outside       any         Allow

Am I understanding this correctly?

Thanks.

Message was edited by: Matt Ausmus Updated to add wireless SNAT dynamic IP and port

1 REPLY 1

L3 Networker

So, I got access to a PAN FW that I could use for testing and answered my question.  For anyone else who happens across the issue here's what I found.

You can't use the bi-direction button.  You have to create separate NATs for the DNAT & SNAT portions.

These are the NAT configs to be as close to bi-directional as possible.  Outside IP is 2.2.2.2 and the inside server IP is 192.168.10.2

                                                                    Static

     Src Zone     Src IP              Dst Zone     NAT IP (bi-drectional = no)

     Inside          192.168.0.2     Outside       2.2.2.2

                                                                   Translated         Translated

     Src Zone     Src IP              Dst Zone     Address             Port

     Outside        2.2.2.2            DMZ            192.168.10.2     any

For the SNAT using a single IP NAT pool:

     Src Zone     Src IP               Dst Zone           NAT IP (dynamic IP & port)

     Inside         172.16.0.1/24     Outside            2.2.2.3

The security policies listed above are correct.

  • 2270 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!