NAT Reflection on a 2-Port ASA Firewall with DMZ for Cisco Telepresence (ExpressWay-C & ExpressWay-E) The second most popular setup involves two firewalls, one protecting our LAN (Firewall 2) and one protecting our DMZ (Firewall 1) while also limiting traffic hitting our LAN firewall:įigure 2. Dual 2-Port/Leg Firewalls DMZ With One LAN Interface ExpressWay-E Server Static (DMZ,inside) 203.40.40.5 access-list INT-DMZ-INĪs shown, there are two levels of NAT occurring for this scenario, both required by the Cisco Telepresence - ExpressWay infrastructure. Static (inside,DMZ) interface access-list INT-DMZ-INĪccess-list INT-DMZ-IN extended permit ip host 192.168.5.5 host 192.168.5.1 The last line in our ASA configuration performs Source NAT and Destination NAT in one command.Īccess-list INT-DMZ-IN extended permit ip host 192.168.1.50 host 203.40.40.5 NOTE: After the NAT command is applied you will receive the two above warning messages. WARNING: Users may not be able to access any service enabled on the DMZ interface. WARNING: All traffic destined to the IP address of the DMZ interface is being redirected. Nat (inside,DMZ) source static obj-192.168.1.50 interface destination static The configuration commands for the above setup is as follows: ![]() Translation of the source IP address (SNAT) of packets (192.168.1.50 to 192.168.5.1) for this traffic flow is optional however required specifically for the Cisco ExpressWay setup. When ExpressWay-C packets arrive to the ExpressWay-E server, they will have the following source & destination IP address: Source IP: 192.168.5.1, Destination IP: 192.168.5.5 This is also known as Source NAT ( SNAT). The Source IP address 192.168.1.50 (ExpressWay-C) is replaced with Source IP address 192.168.5.1 – ASA’s DMZ interface IP address.This is also known as Destination NAT ( DNAT). Destination IP address 203.40.40.5 is replaced with Destination IP address 192.168.5.5 – ExpressWay-E’s private IP address.NAT Reflection on a 3-Port ASA Firewall with Cisco Telepresence (ExpressWay-C & ExpressWay-E)ĮxpressWay-C packets traversing the ASA Firewall destined to ExpressWay-E’s public IP address will have the following transformation thanks to the NAT Reflection configuration: This type of setup also happens to be one of the two most popular configurations:įigure 1. In the example below, ExpressWay-C with IP address 192.168.1.50 needs to access ExpressWay-E ( DMZ zone, IP address 192.168.5.5) using its public IP address of 203.40.40.5. Single 3-Port/Leg Firewall DMZ With One LAN Interface ExpressWay-E Server Note: Users seeking additional information on Network Address Translation concepts can visit our dedicated NAT Section that covers NAT in great depth. NAT Reflection is also seen at implementations of Cisco’s Telepresence systems where the ExpressWay-C server on the internal network needs to communicate with the ExpressWay-E server in the DMZ zone using its public IP address. ![]() What’s interesting is that NAT Reflection is not supported by all firewall appliances, however Cisco ASA Firewalls provide 100% support, making any NAT scenario possible. ![]() NAT Reflection, is a NAT technique used when devices on the internal network (LAN) need to access a server located in a DMZ zone using its public IP address. This article examines the concept of NAT Reflection, also known as NAT Loopback or Hairpinning, and shows how to configure a Cisco ASA Firewall running ASA version 8.2 and earlier plus ASA version 8.3 and later, to support NAT Reflection.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |