DMZ NAT question

Unanswered Question
Jan 24th, 2008

I am configuring a new ASA with a DMZ for my web server. I need to have certain websites able to pass traffic to SQL servers on the inside interface and people from the inside able to hit websites on the web server, but I want to make sure that the IPs of the traffic being passed between the DMZ and the Inside are their actual IPs (not NAT'd). Do I need to create a 'no-nat' access list statement for this and place it in a NAT statement for the DMZ? Would the following work?

Inside is

DMZ is

access-list nonat permit ip

nat (dmz) 0 access-list nonat

nat (dmz) 10

global (outside) 10 interface

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
pjhenriqs Thu, 01/24/2008 - 07:33


I believe the access-list should be the other way around:

access-list nonat permit ip

This will allow traffic from the DMZ to be exempted from the NAT translation when their destination is the inside.

To achieve two way traffic between DMZ and inside do:

access-list nonat1 permit ip

access-list nonat2 permit ip

nat (dmz) 0 access-list nonat1

nat (dmz) 0 access-list nonat2

and it should also have

global (dmz) 10 interface

HTH and please rate if it does.



acomiskey Thu, 01/24/2008 - 07:38

I don't think you can have 2 nat exempt statements for the same interface.

Another way of doing this is simply...

static (inside,dmz)

pjhenriqs Thu, 01/24/2008 - 07:46

My bad...damn copy+paste :)

What I meant was:

nat (inside) 0 access-list nonat1

nat (dmz) 0 access-list nonat2

Also, you can have two nat exempt statements that do not conflict (and that make sense) applied on the same interface. I have it in one of my configurations and working ok.



qbakies11 Thu, 01/24/2008 - 07:54

By acomiskey:

"Another way of doing this is simply...

static (inside,dmz)"

If I have this static statement in my config then I don't need to worry about bypassing NAT?


This Discussion