ROUTE traffic between Inside interface to DMZ interface, instead of NAT

Answered Question
Nov 24th, 2009

Good day everybody!

I am just asking a possibility. My scenario is simple: 3 interfaces (inside, outside and dmz) and their security levels are 100, 0 and 50, repectively. Is there a way to route the traffic from inside to dmz (without changing source IP address after passed through the firewall) while still allow NAT between inside and outside interfaces? If there is, could you please also post necessary configuration here? Thank you!

I have this problem too.
0 votes
Correct Answer by grant.maynard about 7 years 6 days ago

config looks fine to me, except for the stray "outside" on the end of "nat (inside) 0 access-list ACL_dmz. The "outside" keyword should be added if the interface with the nat statement is on a lower security level than the interface you identify by the matching global statement,

With OS v7.x or 8.x you could just turn off NAT for the whole firewall - "no nat-control". This means NAT is used if defined, else everything is assumed to be no-NAT.

Also with v7.x you could do a packet capture on the dmz interface to see what's happening.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Tue, 11/24/2009 - 09:24

No NAT is needed from higher security interfaces to lower ones. The reason we use a NAT to outside is because we use RFC1918 addressing on the inside and it needs to be translated to a public IP.

Difan Zhao Tue, 11/24/2009 - 09:30

Hi Collin thanks for quick reply! Actually my addressing on inside is 10.1.1.0/24 and on dmz is 172.30.0.0/16. As you can see they are both private addresses. All the traffic going to the outside interface will be NATed. I just want traffic between inside and dmz to be routed, not NATed. Is this possible? Thanks!

Collin Clark Tue, 11/24/2009 - 09:36

Yes you can. No NAT is needed going from higher security interface to lowers ones (you're going from 100 to 50). If you we're going from the DMZ to the inside you would need NAT.and to disable it you would NAT0 the address spaces.

Difan Zhao Tue, 11/24/2009 - 09:44

Actually I just configured the ASA and tested but not working. Here is my config:

interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.30.1.1 255.255.0.0

access-list ACL_dmz extended permit ip 10.1.1.0 255.255.255.0 172.30.0.0 255.255.0.0 log

nat (inside) 0 access-list ACL_dmz outside

access-list ACL_dmz_in extended permit ip any any

access-group ACL_dmz_in in interface dmz

I just configured off top of my head. There might be stupid mistakes... Please take a look. I won't have time working on it today. But I will definitely try fix it tomorrow. Thank you!

Correct Answer
grant.maynard Tue, 11/24/2009 - 09:52

config looks fine to me, except for the stray "outside" on the end of "nat (inside) 0 access-list ACL_dmz. The "outside" keyword should be added if the interface with the nat statement is on a lower security level than the interface you identify by the matching global statement,

With OS v7.x or 8.x you could just turn off NAT for the whole firewall - "no nat-control". This means NAT is used if defined, else everything is assumed to be no-NAT.

Also with v7.x you could do a packet capture on the dmz interface to see what's happening.

Difan Zhao Wed, 11/25/2009 - 14:33

yup after I removed the "outside" keyword from the NAT statement it worked... Thank you!

Actions

This Discussion