DMZ Access Nat Question

Unanswered Question


Would like to know how to allow access to or from dmz network?

Few question;

1.As traffic from high securtiy level to lower flow without any Access list,then can't it be from inside interface to dmz by default?

2. If not,how we can allow access to dmz network from inside?Is it nat (inside,dmz) <int add> <dmz add> netmask or nat (dmz,inside) <dmz add> <int add> netmask.How exactly it works?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
acomiskey Fri, 10/31/2008 - 05:59

Lets say your internal network is

static (inside,dmz) netmask

Brent Rockburn Fri, 10/31/2008 - 09:33

You shouldn't require natting from the DMZ to the inside network. You should be able to get from the inside to the dmz without issue as long as proper routing is in place to the inside if there is a different network involved.

The trick comes when you try to get from the DMZ to the inside network. In this case you'll require an ACL allowing traffic from the DMZ as a source to the inside as the destination.

Jon Marshall Fri, 10/31/2008 - 09:39


Just to clarify.

1) If traffic is initiated from the inside to the DMZ then you do not need NAT and you do not need an ACL - providing the connection is stateful such as TCP/UDP

2) If the traffic is initiated from the DMZ then you do need NAT (see Adam's post) or you could turn off NAT altogether.

You also need an acl on the DMZ interface as per Brents post.

Adam - just read your interview. If you get the chance could you have a look in NetPro ideas section where there is a thread about what to put in a guidance page for new posters so they can post the right information. Would be good to have your input.


acomiskey Fri, 10/31/2008 - 09:58


About number 1. Why can I never initiate traffic from the inside to the dmz without nat? Wouldn't the reply from the dmz require it?

I also posted to your guidance post.

Jon Marshall Fri, 10/31/2008 - 10:04

You see, that is why you are top of the firewalling group and i am only a lowly second :)

I can't believe i said that as it was something i always forgot to configure when i was setting up a pix and it always caught me out.

Thanks for putting me straight Adam - rated.

Sushil - apologies for the misleading post.


acomiskey Fri, 10/31/2008 - 10:07

Most of the time I don't contradict anyone here...especially a purple star...haha.

Brent Rockburn Fri, 10/31/2008 - 10:17

Sorry guys I know I must really sound like a newb but I'd like to ask a question.

If the DMZ subnet is let's say and the internal network is and I'm only nating out the outside interface then why again do I need to nat from the dmz to the inside?

Thanks for your patients.


Jon Marshall Fri, 10/31/2008 - 10:22


No need to apologize - look at the mess i made of it :-)

Unless you turn off NAT completely to go from a lower to a higher security interface ie. DMZ -> inside you need to

1) set up a static NAT translation for the inside address(es)

2) allow the traffic in an ACL.

You only need to do this for traffic initiated from the DMZ to the inside.


Brent Rockburn Fri, 10/31/2008 - 10:32

Oh I see what your saying ... just to clarify for myself here ..

1. if you have something like nat (dmz) 1 and then global (dmz) 1

Then you would need to translate it back to something your inside network would understand and an ACL to allow the access.

Sorry guys didn't read clearly enough and assumed the dmz wasn't natted.

Thanks a lot for your information guys.Let me put with example what I have learnt about this and few doubts on same.

Say ip of inside is,dmz and outside a.b.c.d/29.

Now nat (inside) 1

nat (dmz) 1

global (outside) 1 a.b.c.d/29 or interface.

Now I can go to outside from inside and dmz.And Should be able to go from inside to dmz network as well....

Now say my mail server in dmz is statically natted with publically routable address and its dmz ip is it is accessible but not for the internal network.So to allow this from internal do I need the same what Adam has posted? i.e static (inside,dmz) netmask.

I can make out this static identity nat for the inside network when accessed by dmz.

But as my dmz server must be accessible to internal will this work by default?My motive is to allow this server in dmz to internal.

Jon what does mean by completely turn-off nat?In my case nat-control for ASA is turned off.

Moreover can you guys explain difference between identity nat and nat exemption!!!

Thanks a lot.


risenshine4th Tue, 11/04/2008 - 14:19

I am trying to fix a similar situation.

I need the "Masters" to review my configs so I can share the knowledge.

I can get to the Internet from the DMZ and the inside interfaces.

I'm trying to allow the inside interface to be able to access anything in the DMZ.

I would like to be able to browse the webpages.

Also I am trying to allow remote desktop into the DMZ...I want to keep the DMZ limited to the access rules and ports defines.

I've got several public IPs that go to go to the DMZ and Inside depending on the port and service.

I've attached a clean detailed config.



This Discussion