ASA nat rules

Unanswered Question
Nov 16th, 2009
User Badges:


An ASA with inside, outside, DMZ1 and DMZ2 interfaces.(only DMZ are important here)

- DMZ1 have , security-level 40

- DMZ2 have , security-level 75 and a web server at

If I want to let the users from DMZ1 to access the web server from DMZ2, do I need a NAT with real addresses and translated addresses ?

thank u!

thank u!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Collin Clark Mon, 11/16/2009 - 06:33
User Badges:
  • Purple, 4500 points or more

You can NAT with the real addresses. Here's an example-

static (dmz,dmz2) netmask

Hope that helps.

Spinu Viorel Mon, 11/16/2009 - 06:57
User Badges:

is this absolutely necesary to NAT ?

If I don't configure NAT, I will not be able to access the web server ?

Collin Clark Mon, 11/16/2009 - 07:02
User Badges:
  • Purple, 4500 points or more

NAT is necessary because you're going from a lower security level interface to a higher one. If you don't configure NAT, you will have no connections and you will receive some logs that state "no translation group found".

Panos Kampanakis Mon, 11/16/2009 - 11:04
User Badges:
  • Cisco Employee,

The only case where you could do away with no nat is if you enable "no nat-conrtrol" and the ASA has routes to the ip addresses and the ACL on the outside interface is open.


Spinu Viorel Tue, 11/17/2009 - 01:17
User Badges:

I am sorry to ask again. But it is not clear to me :)

I know that if you are going from a lower security level to a higher security level , u need an access-list that explicitly permit that traffic and not a NAT translation. So my question is: U need both an access-list and a NAT ?


This Discussion