NAT - Inside to DMZ via Public IP

Unanswered Question
Jan 28th, 2009
User Badges:

Hi all,

Another DMZ question I'm afraid. I'm trying to achieve the following and any assistance would be great.

I want my Inside to PAT'd to the Outside and DMZ, I also need my Inside to able to access the DMZ via external (212*.*.0) as well as the internal ( addresses. I can get the Inside connected to the DMZ / Outside via PAT and the static map works for Outside connections. When I add the line (bellow), it not only fails to work but it stops the Inside accessing the DMZ on (via PAT).

“static (DMZ,Inside) 212.*.*.2 netmask””

The ACL's on all interfaces are set Permit IP any to any.

ASA 5510 (8.0)



Outside 212.*.*.*/26

global (Outside) 101 interface

global (DMZ) 1 interface

nat (Inside) 1 access-list Inside_nat_outbound

nat (Inside) 101

nat (DMZ) 101

static (DMZ,Outside) 212.*.*.2 netmask

static (DMZ,Inside) 212.*.*.2 netmask

Many thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
victor_87 Wed, 01/28/2009 - 08:48
User Badges:

In the first command you say the outside interface is assouciated with the 212.***** ip address, in the next command you say that it is associated to the inside interface, A single subnet cannot be associated to two differnet interfaces, Thats my logic

Anyone else could explain better ??

spetersmmc Wed, 01/28/2009 - 09:06
User Badges:

Hi Victor,

Thanks for your response. My understanding from the documentation was that traffic can't traverse between interfaces without a NAT. So every interface (Outside and Inside) which needs to have visibility of the address (212.*.*.2) needs a static NAT connecting them to the source IP. I think your correct in that you couldn't associate a subnet with more than one interface but these static NAT's have a host mask. I believe this is a form of hair pinning.


victor_87 Wed, 01/28/2009 - 18:03
User Badges:

You must have misinterpreted the documenttion u read, NAT is not mandatory for traffic to traverse interfaces.

Traffic can traverse interfaces using mere routing on a PIX or ASA. You only require appropriate access-lists allowing traffic into the higher security interfaces.

victor_87 Wed, 01/28/2009 - 20:49
User Badges:

Sorry, i was driving to work and suddenly i realised that i screwed up the last reply completely, u indeed read the documentation right and NAT is mandatory to traverse interface

but instead of using a different Ip to NAT

you can use something like

static (inside, DMZ) netmask

this will do the job without changing anything.

Sorry Again for wrong replies

spetersmmc Thu, 01/29/2009 - 02:19
User Badges:

Hi Victor,

No problem, any feed back is very much appreciated.

From what I can see, the line bellow…


static (inside, DMZ) netmask

…would present the Inside address of to the DMZ as I would have transposed the interfaces but I guess static NAT's are bi-directional so it doesn't make any difference. I would have thought that the NAT to DMZ PAT would have taken care of this though.

global (DMZ) 1 interface

nat (Inside) 1 access-list Inside_nat_outbound

Should I remove my PAT and replace it with your suggested static NAT?


victor_87 Thu, 01/29/2009 - 22:00
User Badges:

your config is good enough, it must work without any issues.


This Discussion