global ( inside) and nat (inside)

Unanswered Question
Sep 24th, 2008
User Badges:

Hi,


I have the flowing config


global (outside) 1 interface

global (inside) 1 interface

global (dmz) 1 interface

nat (dmz) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0 outside


Currently, DMZ users can access inside and outside via NAT


Once I add nat(inside) 1 0 0 , I can't access the inside PCs from DMZ.....I would like to allow inside users to go outside via nat(inside) and global(outside) ...any suggestions



I have asa 5505 ver 7.2(4).


Thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

You need to look at your NAT design, I would use something like:-


Global (outside) 1 interface


NAT (inside) 1 x.x.x.x y.y.y.y

NAT (DMZ) 1 w.w.w.w z.z.z.z


nat (inside) 0 access-list no-nat

nat (dmz) 0 access-list no-nat


access-list no-nat permit ip x.x.x.x y.y.y.y w.w.w.w z.z.z.z

access-list no-nat permit ip w.w.w.w z.z.z.z x.x.x.x y.y.y.y


x.x.x.x = Inside IP subnet

y.y.y.y = Subnet mask


w.w.w.w = DMZ IP Subnet

z.z.z.z = Subnet mask


The above will NAT the Inside to the outside using the firewall outside IP address.


It will nat the DMZ to the outside using the firewall outside IP address.


It will NOT nat the Inside to the DMZ

It will NOT nat the DMZ to the Inside


Is there a specific reason why you need to NAT from inside to dmz and dmz to inside?


HTH>



suschoud Thu, 09/25/2008 - 05:06
User Badges:
  • Gold, 750 points or more

Just remove :



global (inside) 1 interface


Using :


no global (inside) 1 interface




everything should work just fine with ur config. then.



Do rate helpful posts.



Regards,

Sushil

Actions

This Discussion