01-24-2008 06:58 AM - edited 03-11-2019 04:53 AM
I am configuring a new ASA with a DMZ for my web server. I need to have certain websites able to pass traffic to SQL servers on the inside interface and people from the inside able to hit websites on the web server, but I want to make sure that the IPs of the traffic being passed between the DMZ and the Inside are their actual IPs (not NAT'd). Do I need to create a 'no-nat' access list statement for this and place it in a NAT statement for the DMZ? Would the following work?
Inside is 192.168.200.0/21
DMZ is 192.168.0.0/24
access-list nonat permit ip 192.168.200.0 255.255.248.0 192.168.0.0 255.255.255.0
nat (dmz) 0 access-list nonat
nat (dmz) 10 0.0.0.0 0.0.0.0
global (outside) 10 interface
01-24-2008 07:33 AM
Hi,
I believe the access-list should be the other way around:
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.248.0
This will allow traffic from the DMZ to be exempted from the NAT translation when their destination is the inside.
To achieve two way traffic between DMZ and inside do:
access-list nonat1 permit ip 192.168.200.0 255.255.248.0 192.168.0.0 255.255.255.0
access-list nonat2 permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.248.0
nat (dmz) 0 access-list nonat1
nat (dmz) 0 access-list nonat2
and it should also have
global (dmz) 10 interface
HTH and please rate if it does.
Regards,
Paulo
01-24-2008 07:38 AM
I don't think you can have 2 nat exempt statements for the same interface.
Another way of doing this is simply...
static (inside,dmz) 192.168.200.0 192.168.200.0 255.255.255.0
01-24-2008 07:46 AM
My bad...damn copy+paste :)
What I meant was:
nat (inside) 0 access-list nonat1
nat (dmz) 0 access-list nonat2
Also, you can have two nat exempt statements that do not conflict (and that make sense) applied on the same interface. I have it in one of my configurations and working ok.
Regards,
Paulo
01-24-2008 07:54 AM
By acomiskey:
"Another way of doing this is simply...
static (inside,dmz) 192.168.200.0 192.168.200.0 255.255.255.0"
If I have this static statement in my config then I don't need to worry about bypassing NAT?
01-24-2008 08:02 AM
Yes. That's all you need.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: