global ( inside) and nat (inside)

semsemccie · ‎09-24-2008

Hi,

I have the flowing config

global (outside) 1 interface

global (inside) 1 interface

global (dmz) 1 interface

nat (dmz) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0 outside

Currently, DMZ users can access inside and outside via NAT

Once I add nat(inside) 1 0 0 , I can't access the inside PCs from DMZ.....I would like to allow inside users to go outside via nat(inside) and global(outside) ...any suggestions

I have asa 5505 ver 7.2(4).

Thanks,

andrew.prince · ‎09-25-2008

You need to look at your NAT design, I would use something like:-

Global (outside) 1 interface

NAT (inside) 1 x.x.x.x y.y.y.y

NAT (DMZ) 1 w.w.w.w z.z.z.z

nat (inside) 0 access-list no-nat

nat (dmz) 0 access-list no-nat

access-list no-nat permit ip x.x.x.x y.y.y.y w.w.w.w z.z.z.z

access-list no-nat permit ip w.w.w.w z.z.z.z x.x.x.x y.y.y.y

x.x.x.x = Inside IP subnet

y.y.y.y = Subnet mask

w.w.w.w = DMZ IP Subnet

z.z.z.z = Subnet mask

The above will NAT the Inside to the outside using the firewall outside IP address.

It will nat the DMZ to the outside using the firewall outside IP address.

It will NOT nat the Inside to the DMZ

It will NOT nat the DMZ to the Inside

Is there a specific reason why you need to NAT from inside to dmz and dmz to inside?

HTH>

suschoud · ‎09-25-2008

Just remove :

global (inside) 1 interface

Using :

no global (inside) 1 interface

everything should work just fine with ur config. then.

Do rate helpful posts.

Regards,

Sushil

semsemccie · ‎09-25-2008

I need global (inside) 1 interface rule because all users in DMZ come to inside via one IP

andrew.prince · ‎09-25-2008

I would probably use a static nat based on an acl.

HTH>