ASA - Understanding NAT behavior with DMZ Subnet
In a network configuration where the entire DMZ subnet (e.g., 192.168.1.0/24) is statically NATed to a single public IP address (e.g., 100.100.100.100) on an ASA, the following behaviors are observed:
-
Outbound Connections: When multiple DMZ servers initiate connections to the internet, their source IP addresses are translated to the single public IP (100.100.100.100). The ASA uses different source ports to distinguish between these connections, even if they are directed to the same destination IP on the internet.
-
Inbound Connections: Static NAT is bidirectional but requires specific configurations for inbound connections:
- Response to Outbound Requests: Responses to outbound requests are allowed and directed to the originating host based on the destination TCP port.
- Externally Initiated Connections: For connections initiated from the outside, additional configurations are necessary:
- An access list must be set up to permit traffic from the outside interface to the DMZ interface.
- Port forwarding must be configured to translate and forward the appropriate destination TCP port to the correct inside host. Without these configurations, externally initiated communications will be dropped.
Links
https://networklessons.com/cisco/asa-firewall/cisco-asa-static-nat-configuration/