ASA- DMZ IP getting NATted to its own global pool IP

network_user · ‎05-31-2012

Hello,

We have a Session border controller for VOIP calls in our network which sites behind ASA firewall on a DMZ. We also have a global pool for this DMZ. What i have observed is that the SBC IP address which is on the DMZ, gets natted to one of the IPs in the global pool for its own DMZ.

Below is the relevant IP information and NAT configuration:

DMZ4

SBC IP: 10.103.11.51

NAT on ASA:

global (dmz4) 1 10.103.11.16-10.103.11.19 netmask 255.255.255.252

10.103.11.51 gets natted to 10.103.11.17 and for some reason the SBC sends the SIP packets to 10.103.11.17, instead of sending it to a destination IP address which resides on the inside interface of the ASA. I am not able to understand why SBC gets Natted to global nat pool of its own DMZ, and how does it knows about 10.103.11.17 IP??

Any help is appreciated.

Thank you.

rizwanr74 · ‎05-31-2012

"instead of sending it to a destination IP address which resides on the inside interface of the ASA."

In order to send traffic in between inside and dmz4, you must create static-nat as shown below.

static (inside,dmz4) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

-----------------------------------------------------------------------------------

"global (dmz4) 1 10.103.11.16-10.103.11.19 netmask 255.255.255.252"

the above is dynamic-nat.

Hope this has been anyhelp.

thanks

Rizwan Rafeek

network_user · ‎05-31-2012

Hello Rizwan,

I do have a nat for inside host to DMZ4. What I dont understand is why 10.103.11.51 is getting natted to 10.103.11.17? Should'nt that pool be the NAT for traffic coming to DMZ4?

static(inside,dmz4) 10.103.1.88 10.103.1.88 netmask 255.255.255.255

Thank you.

rizwanr74 · ‎05-31-2012

"Should'nt that pool be the NAT for traffic coming to DMZ4?"

It is natting based on the ip range you have defined on the global-pool "10.103.11.16 - 10.103.11.19"

"why 10.103.11.51 is getting natted to 10.103.11.17?" that is because your global poot on the dmz4 interface as shown below.

global (dmz4) 1 10.103.11.16-10.103.11.19

"Should'nt that pool be the NAT for traffic coming to DMZ4?",

it is natting to one of the IP available from the range you provided when traffic coming in to dmz4.

So, it is natting, what you have set to nat.

Thanks

Rizwan Rafeek

network_user · ‎05-31-2012

I still dont understand.

What I understand is that any traffic which is going into DMZ4 must be natted to one of the DMZ4 Global pool IPs to communicate with the hosts on DMZ4. But it seems like its happening the other way round. An IP address which is already on DMZ4 and trying to communicate with inside(or any other interface) is getting natted to an IP from this pool.

rizwanr74 · ‎05-31-2012

"going into DMZ4" It is not going into but rather natted to, as a result you will see the below, your confusion.

"why 10.103.11.51 is getting natted to 10.103.11.17? "

going into and natted to, are two different things.

I hope that helps.

thanks

Rizwan Rafeek

Please rate helful post.

network_user · ‎05-31-2012

So do you mean the NAT is for DMZ4 IPs communicating with any other IP outside DMZ4 and also for any IP which is trying to communicate with DMZ4 hosts??

rizwanr74 · ‎05-31-2012

"So do you mean the NAT is for DMZ4 IPs communicating with any other IP outside DMZ4"

no but rather inside or outside host trying to reach the DMZ4 hosts, will be dynamic-nat to 10.103.11.16-10.103.11.19.

"also for any IP which is trying to communicate with DMZ4 hosts??"

will be dynamic-natted to the range 10.103.11.16-10.103.11.19..

You have not posted your nat but only the global config part alone I see.

Hope that answers your question.

Thanks

Rizwan Rafeek