How to achieve PAT for one of two outside interfaces only?

Unanswered Question
May 23rd, 2007
User Badges:

Hi all,

I am looking for help in setting up address translation on an ASA (version 7.2) with the following scenario:

-- four network interfaces: inside, DMZ1, DMZ2, outside

-- inside and DMZ1 have limited number of subnets, DMZ2 has many subnets (routing via OSPF), outside is Internet (routing via static default route)

-- source addresses should be translated to a global address (PAT) for communications from inside or DMZ1 to outside (DMZ2 does not need to communicate with outside)

-- real addresses without translation (source or destination) should be used for communications between inside, DMZ1 and DMZ2

The problem I could not overcome is the "nat (inside)" configuration: the subnets in DMZ2 (and DMZ1) need to be exempted, but there are too many to make an ACL viable. Besides, this would thwart the advantage of using a routing protocol instead of static routing.

Can anybody suggest a NAT configuration that achieves the desired results?

Thanks and regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
zulqurnain Wed, 05/23/2007 - 23:56
User Badges:
  • Bronze, 100 points or more


you can try this

access-list nonat permit ip (DMZ1 subnet ip address) (DMZ2 subnet ip address)

nat (inside) 0 access-list nonat

HTH, please rate it

fanheuser Thu, 05/24/2007 - 01:04
User Badges:

Hello zulgurnain,

thank you, basically this would work. Unfortunately, DMZ2 has a couple of hundreds of subnets, which also change frequently (this is why I use a routing protocol on that interface). Therefore, I am looking for a configuration where I do not need to enumerate the DMZ2 subnets in an ACL (or object group). Any suggestions?

DMZ1 has only the connected subnet, so this is no problem.


This Discussion