Notice that the 192.168.20.20 IP address has the same MAC address as the ASA (192.168.20.1).
If we were to check the ARP table of the Internet-RTR, you will understand better: This is because when the Internet-RTR got a connection request from 192.168.20.20, it sent an ARP request for that IP address and the ASA responded on behalf of the DMZ-RTR. If you are sure of your configuration, just wait a few seconds and try again.Īs you can see, the Internet-RTR “sees” the DMZ-RTR as 192.168.20.20 i.e. I will just assume the ASA was ‘booting’. Hint: When I first tried the telnet connection, it didn’t go through. I will open a connection from the DMZ-RTR to the Internet-RTR using the newly created loopback interface as the source interface. The equivalent configuration to be sent to the CLI is as follows: object network Web_ServerĪt this point, we can test whether our translation is active. We will click on the Advanced button so that we can specify the real and mapped interface. We will navigate to Configuration > Firewall > NAT Rules and add a new Network Object NAT rule. However, since there is still a hop to the Internet (the Internet router), you will have to configure a static route for that mapped IP address pointing to the ASA.Ĭonfiguring static NAT is the same way we configured PAT and dynamic NAT. Hint: In a real organization, to avoid double NAT, you may configure a public IP address as the mapped IP address. it allows a connection to be made from both the real IP address and to the mapped IP address. The reason we use static NAT is because static NAT is bidirectional i.e. We will now configure a static NAT rule for this new loopback IP address using a mapped IP address of 192.168.20.20. It is also a good thing to check that you can successfully ping the new network. Note that because we are not using any dynamic routing protocol in our network, I will need to add a static route on the ASA for that new IP address as shown below: To implement this, I will create a loopback on the DMZ-RTR with an IP address of 172.16.2.20 I will also enable the HTTP server on this router and finally set the DMZ-RTR’s default gateway as the ASA. The normal case is that the DMZ servers will have public routable IP addresses so that they can be accessed from the Internet. Note: In our scenario, we are only concerned with the technology behind static NAT. Using static NAT, we are able to translate the web server’s real IP address in the DMZ zone to a mapped IP address in the outside zone. Having this knowledge in mind, let’s assume there is a web server in the DMZ that should be accessible from the outside. This means that a compromise on the DMZ does not necessarily result in a compromise to the trusted network.
LAN) from the systems that need to be accessed from the outside. Therefore, organizations create a Demilitarized Zone (DMZ) to isolate their internal trusted network (e.g. However, giving the public access to your servers also means you make yourself available to attacks from the outside. Some organizations have web servers (and other servers) that are hosted internally and should also be available to the public i.e. Let’s first take a brief look at the DMZ to understand why it is needed. However, there is also another configuration done by companies with DMZ servers that requires public access and this is what we will be looking at in this article. This is the usual configuration in many organizations. In the last article, we configured both PAT and Dynamic NAT rules on the ASA to allow connectivity from the inside to the DMZ and outside zones.
Hi there and welcome back to this series on configuring the Cisco ASA in GNS3 through the ASDM.