i have some problems which seems too wierd. I have an ASA 5540 in my client's office. The previous plan is using inside and outside scheme only, while dynamic natting all inside network (10.0.0.0/8) to outside. And static nat several IPs too. the problem is when i deploy DMZ on the ASA.
The network in inside can't access DMZ even the first L3 device after DMZ interface. After i remove certain inside network from the dynamic nat, i can access DMZ from that particular inside network.
What is the problem?
Could i make the inside network access both dmz and outside network???
You dont have to mess up with nat-control command, your issue is pretty easy and stragiht forward. Since you insist on not posting the entire sanitized config, I will go on with assumptions.
A little info about nat-control. If I remember correct, nat-control is built-in with 6.3 IOS and above, and according to my experiences, doesnt appear in the config unless it is explicitly disabled or enabled after disabling. Thats why, concept is NOT! same with a router while nat-control is enabled.
"And i'm so sure that packet can traverse from inside to DMZ without identity NAT or another kind of NAT while the packet can go to outside using dynamic NAT"
I am sorry Charles but you are mis-informed. This is for routers only. And NAT concept of Cisco Firewall devices is usually where I meet R&S (Routing&Switching) professionals who have not been involved in firewalls as they do with routers. What you mention will become real when you explicitly state "no nat-control". This time device will behave more likely as a router.
"without identity NAT or another kind of NAT ".
Firewall is obliged to check every traffic and drop if they dont match a NAT statement with nat-control. Thats fine.
"So it's impossible to allow traffic from inside to dmz without natting?"
And you want specific traffic not to be translated without x NAT, thats fine too. But you must tell it to the device which you obliged to check for NAT matches, not to NAT that x traffic specifically. And this is what exempt NAT is, the first suggestion I made and hit the bulls eye as I see.
Here are my assumptions according to "After i exclude 10.64.0.0/16 from the dynamic nat, 10.64.0.0/16 network can access DMZ network "
You either dont have or have an incorrect exempt NAT statement or identity NAT, since firewall first checks exempt and identity nats, then moves on NAT translation groups
Then you have NAT Translation groups like following
global (outside) 1 xxxxx
global (dmz) 2 yyyyyy
nat (inside) 1 bla bla
nat (inside) 2 bla bla
Traffic originated from inside always goes outs from global 1, and never exits from global 2 since it has the same source. Once you exclude the source traffic, it goes on from global 2 and never goes out from global 1. As stated before, if you have a valid identity NAT or exempt NAT, firewall will first check if traffic hits the exempt or identity NAT, if matches, traffic flows as stated, if doesnt, traffic hits NAT Tr Group 1 and goes out to internet.
Btw I suggest you using 7.2(2), but not because of the reason that you wrote next to you possible bug worry.
Still you couldnt achieve what you want? Want to resolve? Then please do the following exactly.
1)Post your sanitized config
2)Tell your problem as "I cant reach from x ip to y ip"
3)Let me resolve it, apply my suggested CLI commands, see your problem is resolved, then ask me about my suggestions "why you did xx"