NAT configuration - DMZ zone to Trust zone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT configuration - DMZ zone to Trust zone

L4 Transporter

I've had a total brain fade, and am unable to figure this out. Hoping you guys can help.

 

Network topology is relatively simple. Firewall has three zones - outside, inside and DMZ - DMZ has a /25 of "real" Internet addresses on it. Outside has a /30, also of "real" address, and most traffic from inside is translated to the interface address of the outside zone. Inside if RFC1918 IPv4 addressing with multiple static routes to upstream networks.

 

I need to NAT an IP address which is in our public space in our DMZ zone - call the address 1.1.1.123/32 - to a host which is inside my network - call it 10.10.10.10/32 - on a one-to-one basis - no port translations, nothing. BI-directional NAT - any packet coming in to 1.1.1.123 goes to 10.10.10.10, and any packet going OUT from 10.10.10.10 appears to be from 1.1.1.123 as far as the Internet is concerned.

 

Thing is, I don't know if I can do this.

 

I've put in two NAT rules - one translating anything going to 1.1.1.123 to 10.10.10.10, and one translating anything from 10.10.10.10 to 1.1.1.123 - but it's not working.

 

I don't know if I'm screwing up the security policies related, or if what I'm asking can't be done.

 

So, questions for guys who have done more NAT than I have

 

1. Is the NAT policy I want even possible?

2. Is the methodoligy I've described right?

3. What IP address/interface should I be applying security policies (inbound and outbound) on? The translated address? The untranslated address? Both?

 

Can anyone shed some light for me, please? I'm scratching my head here.

 

Thanks

1 accepted solution

Accepted Solutions

L4 Transporter

Hey Darren,

 

Can you please try the below?

 

Outbound Nat rule

==============

Original packet:

  • Source - Trust
  • Source address - 10.10.10.10
  • Destination - Untrust
  • Destination Address - Any

Translated packet:

  • Source translation - Static IP
  • Translated address - 1.1.1.123

 

Inbound NAT rule

==============

Original packet:

  • Source - Untrust
  • Source address - Any
  • Destination - DMZ (you got public connectivity to DMZ, right?)
  • Destination Address - 1.1.1.123

Translated packet:

  • Destination translation
  • Translated address - 10.10.10.10

 

Outbound Security Rule

==================

Source Zone - Trust

Source Address - 10.10.10.10

Destination zone - Untrust

Destination address - Any

... (fill the rest yourself)

 

Inbound Security Rule

==================

Source Zone - Untrust

Source Address - Any

Destination zone - Trust

Destination Address - 1.1.1.123

... (fill the rest yourself)

 

For testing purposes, keep your NAT & security rules at the top to avoid any conflicts.

 

Let me know if that works.


Regards,

Anurag

 

================================================================
ACE 7.0, 8.0, PCNSE 7

View solution in original post

2 REPLIES 2

L4 Transporter

Hey Darren,

 

Can you please try the below?

 

Outbound Nat rule

==============

Original packet:

  • Source - Trust
  • Source address - 10.10.10.10
  • Destination - Untrust
  • Destination Address - Any

Translated packet:

  • Source translation - Static IP
  • Translated address - 1.1.1.123

 

Inbound NAT rule

==============

Original packet:

  • Source - Untrust
  • Source address - Any
  • Destination - DMZ (you got public connectivity to DMZ, right?)
  • Destination Address - 1.1.1.123

Translated packet:

  • Destination translation
  • Translated address - 10.10.10.10

 

Outbound Security Rule

==================

Source Zone - Trust

Source Address - 10.10.10.10

Destination zone - Untrust

Destination address - Any

... (fill the rest yourself)

 

Inbound Security Rule

==================

Source Zone - Untrust

Source Address - Any

Destination zone - Trust

Destination Address - 1.1.1.123

... (fill the rest yourself)

 

For testing purposes, keep your NAT & security rules at the top to avoid any conflicts.

 

Let me know if that works.


Regards,

Anurag

 

================================================================
ACE 7.0, 8.0, PCNSE 7

Thank you Sir, you are a legend.

 

I was applying the inbound security rule on the wrong zone, and everything was failing.

 

Now it's not.

 

Appreciate your assistance.

  • 1 accepted solution
  • 5817 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!