ASA nat rules

Spinu Viorel · ‎11-16-2009

Hello,

An ASA with inside, outside, DMZ1 and DMZ2 interfaces.(only DMZ are important here)

- DMZ1 have 172.16.1.0/24 , security-level 40

- DMZ2 have 172.20.3.0/24 , security-level 75 and a web server at 172.20.3.8

If I want to let the users from DMZ1 to access the web server from DMZ2, do I need a NAT with real addresses 172.16.1.0/24 and translated addresses 172.20.3.0/24 ?

thank u!

Collin Clark · ‎11-16-2009

You can NAT with the real addresses. Here's an example-

static (dmz,dmz2) 172.20.3.0 172.20.3.0 netmask 255.255.255.0

Hope that helps.

Spinu Viorel · ‎11-16-2009

is this absolutely necesary to NAT ?

If I don't configure NAT, I will not be able to access the web server ?

Collin Clark · ‎11-16-2009

NAT is necessary because you're going from a lower security level interface to a higher one. If you don't configure NAT, you will have no connections and you will receive some logs that state "no translation group found".

Panos Kampanakis · ‎11-16-2009

The only case where you could do away with no nat is if you enable "no nat-conrtrol" and the ASA has routes to the ip addresses and the ACL on the outside interface is open.

PK

Spinu Viorel · ‎11-17-2009

I am sorry to ask again. But it is not clear to me :)

I know that if you are going from a lower security level to a higher security level , u need an access-list that explicitly permit that traffic and not a NAT translation. So my question is: U need both an access-list and a NAT ?

Collin Clark · ‎11-17-2009

Yes.