DMZ & NONAT

Answered Question
Dec 29th, 2009

Hi

I am new to Cisco ASA ( 7.2) which we are also using as a FIREWALL/NAT . We have following netwrok ( look at the attached diagram). we just added new dmz with 10.x.x.35/24 . we have our Internal Network comprosie with some public IP & some private IP( 10.x.y.99/24). When I introduce new dmz segment 10.x.x.35/24 , our Internal Network with Public IP 199.X.Y.99 could access the DMZ but Our Private ip ( 10.x.y.99/24) could not accesss new dmz.

I am nating the Internal network to 157.21.x.x IP when trying to access the Internet .

      

I found two solution:

=======================================================================

1 I found that I could use nonat statement to fix the issue  :

access-list nonat extended permit ip 10.x.y.0 255.255.255.0 10.x.x.0 255.255.255.0

nat (inside) 0 access-list nonat

OR

2 I could use static nat so when moving from inside to privatedmz it translates to itself

static (inside,newdmz) 10.x.y.0 10.x.y.0 netmask 255.255.255.0

==========================================================================

Now, I have few question regarding above solution:

1 why you need nonat or static nat for this situation , is it because traffic is flowing from higher(Internal) to lower(dmz) interface ??

2 I started to read about NAT control http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530 & than I totally got confused . I could not find the no-nat control command on my firewall so I am not sure how to check nat-control is disabled or not ?

3 which one is the best solution or what are advantage or disadvantage of above solution ?

Sincerely

Viral

I have this problem too.
0 votes
Correct Answer by yamramos.tueme about 7 years 1 week ago

Hi Viral,

Answring to your questions:

1. When you have nat-control enabled on your firewall, you need a natting rule when moving traffic between two interfaces.

2. To check if you have nat-control enabled.  Go the to the cli and issue the following command:

sh run nat-control

This will give you a one-line output.  If this output is preceeded by a 'no' this means that nat-control is disabled. (Which I don't think will be your case).  This command does not appear in the regular show run.

3. I prefer using the static statement, because it will match only traffic that flows between those two interfaces; rather than the no nat that works for all traffic initiated in the inside, but restricted with an ACL.

Cheers!

- Yamil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
yamramos.tueme Thu, 01/07/2010 - 14:13

Hi Viral,

Answring to your questions:

1. When you have nat-control enabled on your firewall, you need a natting rule when moving traffic between two interfaces.

2. To check if you have nat-control enabled.  Go the to the cli and issue the following command:

sh run nat-control

This will give you a one-line output.  If this output is preceeded by a 'no' this means that nat-control is disabled. (Which I don't think will be your case).  This command does not appear in the regular show run.

3. I prefer using the static statement, because it will match only traffic that flows between those two interfaces; rather than the no nat that works for all traffic initiated in the inside, but restricted with an ACL.

Cheers!

- Yamil

Actions

This Discussion