Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
4
Helpful
5
Replies

DMZ NAT question

qbakies11
Level 1
Level 1

‎01-24-2008 06:58 AM - edited ‎03-11-2019 04:53 AM

I am configuring a new ASA with a DMZ for my web server. I need to have certain websites able to pass traffic to SQL servers on the inside interface and people from the inside able to hit websites on the web server, but I want to make sure that the IPs of the traffic being passed between the DMZ and the Inside are their actual IPs (not NAT'd). Do I need to create a 'no-nat' access list statement for this and place it in a NAT statement for the DMZ? Would the following work?

Inside is 192.168.200.0/21

DMZ is 192.168.0.0/24

access-list nonat permit ip 192.168.200.0 255.255.248.0 192.168.0.0 255.255.255.0

nat (dmz) 0 access-list nonat

nat (dmz) 10 0.0.0.0 0.0.0.0

global (outside) 10 interface

Labels:
0 Helpful
5 Replies 5

pjhenriqs
Level 1
Level 1

‎01-24-2008 07:33 AM

Hi,

I believe the access-list should be the other way around:

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.248.0

This will allow traffic from the DMZ to be exempted from the NAT translation when their destination is the inside.

To achieve two way traffic between DMZ and inside do:

access-list nonat1 permit ip 192.168.200.0 255.255.248.0 192.168.0.0 255.255.255.0

access-list nonat2 permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.248.0

nat (dmz) 0 access-list nonat1

nat (dmz) 0 access-list nonat2

and it should also have

global (dmz) 10 interface

HTH and please rate if it does.

Regards,

Paulo

0 Helpful

acomiskey
Level 10
Level 10
In response to pjhenriqs

‎01-24-2008 07:38 AM

I don't think you can have 2 nat exempt statements for the same interface.

Another way of doing this is simply...

static (inside,dmz) 192.168.200.0 192.168.200.0 255.255.255.0

pjhenriqs
Level 1
Level 1
In response to acomiskey

‎01-24-2008 07:46 AM

My bad...damn copy+paste :)

What I meant was:

nat (inside) 0 access-list nonat1

nat (dmz) 0 access-list nonat2

Also, you can have two nat exempt statements that do not conflict (and that make sense) applied on the same interface. I have it in one of my configurations and working ok.

Regards,

Paulo

0 Helpful

qbakies11
Level 1
Level 1
In response to acomiskey

‎01-24-2008 07:54 AM

By acomiskey:

"Another way of doing this is simply...

static (inside,dmz) 192.168.200.0 192.168.200.0 255.255.255.0"

If I have this static statement in my config then I don't need to worry about bypassing NAT?

0 Helpful

acomiskey
Level 10
Level 10
In response to qbakies11

‎01-24-2008 08:02 AM

Yes. That's all you need.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card