I'm configuring an ASA 7.2 to allow a kiosk machine segment (security-level 45) to access to Internet via enterprise network (security-level 90). ASA config as follows:
ip address 172.16.45.1 255.255.255.0
ip address 172.16.90.2 255.255.255.0
route dmz_enterprise 0.0.0.0 0.0.0.0 172.16.90.1 1
access-list TEST extended permit ip any any
access-group TEST in interface dmz_kiosk
The ASA is also configured to perform DHCP relay for clients connected to the kiosk segment.
The kiosk machines will need to access to Internet. My issue is, I'm unsure how to define the static commands to allow the proper NAT translation for the clients since their destinations are public IP addresses. I've tried:
static (dmz_enterprise,dmz_kiosk) 0 0 netmask 0.0.0.0
However, this command has the following negative effects:
(1) Disrupts the operation of DHCP relay.
(2) Disrupts ARP activities on the kiosk segment. The ASA will answer all ARP requests on that segment, causing issue to client-to-client communication on that segment.