ASA nat rules

Unanswered Question
Nov 16th, 2009
User Badges:

Hello,


An ASA with inside, outside, DMZ1 and DMZ2 interfaces.(only DMZ are important here)

- DMZ1 have 172.16.1.0/24 , security-level 40

- DMZ2 have 172.20.3.0/24 , security-level 75 and a web server at 172.20.3.8


If I want to let the users from DMZ1 to access the web server from DMZ2, do I need a NAT with real addresses 172.16.1.0/24 and translated addresses 172.20.3.0/24 ?

thank u!


thank u!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Mon, 11/16/2009 - 06:33
User Badges:
  • Purple, 4500 points or more

You can NAT with the real addresses. Here's an example-


static (dmz,dmz2) 172.20.3.0 172.20.3.0 netmask 255.255.255.0


Hope that helps.

Spinu Viorel Mon, 11/16/2009 - 06:57
User Badges:

is this absolutely necesary to NAT ?

If I don't configure NAT, I will not be able to access the web server ?

Collin Clark Mon, 11/16/2009 - 07:02
User Badges:
  • Purple, 4500 points or more

NAT is necessary because you're going from a lower security level interface to a higher one. If you don't configure NAT, you will have no connections and you will receive some logs that state "no translation group found".


Panos Kampanakis Mon, 11/16/2009 - 11:04
User Badges:
  • Cisco Employee,

The only case where you could do away with no nat is if you enable "no nat-conrtrol" and the ASA has routes to the ip addresses and the ACL on the outside interface is open.


PK

Spinu Viorel Tue, 11/17/2009 - 01:17
User Badges:

I am sorry to ask again. But it is not clear to me :)

I know that if you are going from a lower security level to a higher security level , u need an access-list that explicitly permit that traffic and not a NAT translation. So my question is: U need both an access-list and a NAT ?



Actions

This Discussion