04-18-2014 03:44 PM
The reason for this post is I'm collapsing 2 ASA that are configured one in front of the other into a single PANW firewall. The DMZ interface on the inside ASA is technically treated as the "outside" interface. All NAT is performed on this DMZ interface. After the collapse, the DMZ interface will still exist but a true Outside interface will not be there. NAT has to stay associated with the DMZ IP space because we only have a /30 for the Outside interface.
From reading the NAT Tech Note I think I understand this but wanted to run it by here just in case.
3 interfaces. Assume these are the zone names as well:
Inside 192.168.0.1/24
DMZ 2.2.2.1/24
Outside 1.1.1.1/30
Wireless 172.16.0.1/24
DMZ addresses are public IPs.
DMZ has servers assigned with IPs in this address space. The rest of the address space is used for bi-directional NAT.
Outside interface is the default route to the Internet.
Regular inside traffic going to the Internet is SNAT'ed via the Outside interface IP.
Wireless traffic going to the Internet uses a DMZ address for SNAT dynamic IP & port.
Creating a bi-directional NAT with the NAT address of 2.2.2.2 for internal server IP 192.168.0.2 would be:
Static
Src Zone Src IP Dst Zone NAT IP (bi-drectional = yes)
Inside 192.168.0.2 DMZ 2.2.2.2
For the Wireless subnet SNAT using 2.2.2.3, it would be:
Src Zone Src IP Dst Zone NAT IP (dynamic IP & port)
Inside 172.16.0.1/24 DMZ 2.2.2.3
The Dst Zone would be DMZ because when the route lookup is performed, the closest route is the directly connected route for the DMZ interface.
The Security Policy allowing Internet traffic to reach the internal server would be:
Src Zone Src IP Dst Zone Dst IP Action
Outside any Inside 2.2.2.2 Allow
Inside 192.168.0.2 Outside Any Allow
The security policy for the Wireless traffic would be:
Src Zone Src IP Dst Zone Dst IP Action
Wireless any Outside any Allow
Am I understanding this correctly?
Thanks.
Message was edited by: Matt Ausmus Updated to add wireless SNAT dynamic IP and port
04-26-2014 07:19 AM
So, I got access to a PAN FW that I could use for testing and answered my question. For anyone else who happens across the issue here's what I found.
You can't use the bi-direction button. You have to create separate NATs for the DNAT & SNAT portions.
These are the NAT configs to be as close to bi-directional as possible. Outside IP is 2.2.2.2 and the inside server IP is 192.168.10.2
Static
Src Zone Src IP Dst Zone NAT IP (bi-drectional = no)
Inside 192.168.0.2 Outside 2.2.2.2
Translated Translated
Src Zone Src IP Dst Zone Address Port
Outside 2.2.2.2 DMZ 192.168.10.2 any
For the SNAT using a single IP NAT pool:
Src Zone Src IP Dst Zone NAT IP (dynamic IP & port)
Inside 172.16.0.1/24 Outside 2.2.2.3
The security policies listed above are correct.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
