Reasons to NAT Inside to DMZ (or DMZ to Inside) ?

Unanswered Question
Oct 14th, 2009

I have been looking into this and I can only really find answers on how to technically achieve this, rather than whether it is necessary (or best practice).

Assuming (for example)

Inside /16

DMZ /24

Is there a reason why an inside host should reference a DMZ host by a fixed 172 address NATed to the actual 192 address ?

Or, why a DMZ host should reference an inside host by a fixed 192 address NATed to the actual 172 address ?

Is there a reason why the /24 should not be routable from inside hosts and that the "NAT" should not actually mask the addresses ?

Again, I am more interested in what the objective should be, rather than the NAT rule/exception commands. What are the reasons for/against, what is common practice ?

Any help would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Wed, 10/14/2009 - 04:44

It is not necessary or required by no means.

Sometimes people prefer to have their network segmented in a sense that they only have a default gateway to browse the internet and everything else is local to them. In that case the DMZ host will look as inside host to an inside host, but again not necessarily.

Some other times there are multiple hops when you go from the ASA DMZ to the inside host. So when the DMZ host is going to the inside, routing might not be set up in way to reach the ASA before going to the inside. So translating the inside host to a DMZ ip address that there is a route to will be a quick an easy way to keep things working.

Another scenario could be having the email server on the DMZ and your inside DNS server giving out its ip address as an inside one. Then that server needs to be translated.

By no means necessary. DMZ to inside and inside to DMZ do not need to be translated as long as you don't need them to be for some reason and routing is set up properly.


jeromecandiff Wed, 10/14/2009 - 09:31

Working for an MSS, most of our clients that implement this do not route anything but DMZ traffic on the DMZ. Additionally, if there is more than one point of presence on the DMZ, using non dmz addresses may cause DMZ routers to send responses asynchronously via another path.


This Discussion