I am new to Cisco ASA ( 7.2) which we are also using as a FIREWALL/NAT . We have following netwrok ( look at the attached diagram). we just added new dmz with 10.x.x.35/24 . we have our Internal Network comprosie with some public IP & some private IP( 10.x.y.99/24). When I introduce new dmz segment 10.x.x.35/24 , our Internal Network with Public IP 199.X.Y.99 could access the DMZ but Our Private ip ( 10.x.y.99/24) could not accesss new dmz.
I am nating the Internal network to 157.21.x.x IP when trying to access the Internet .
I found two solution:
1 I found that I could use nonat statement to fix the issue :
access-list nonat extended permit ip 10.x.y.0 255.255.255.0 10.x.x.0 255.255.255.0
nat (inside) 0 access-list nonat
2 I could use static nat so when moving from inside to privatedmz it translates to itself
static (inside,newdmz) 10.x.y.0 10.x.y.0 netmask 255.255.255.0
Now, I have few question regarding above solution:
1 why you need nonat or static nat for this situation , is it because traffic is flowing from higher(Internal) to lower(dmz) interface ??
2 I started to read about NAT control http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530 & than I totally got confused . I could not find the no-nat control command on my firewall so I am not sure how to check nat-control is disabled or not ?
3 which one is the best solution or what are advantage or disadvantage of above solution ?
Answring to your questions:
1. When you have nat-control enabled on your firewall, you need a natting rule when moving traffic between two interfaces.
2. To check if you have nat-control enabled. Go the to the cli and issue the following command:
sh run nat-control
This will give you a one-line output. If this output is preceeded by a 'no' this means that nat-control is disabled. (Which I don't think will be your case). This command does not appear in the regular show run.
3. I prefer using the static statement, because it will match only traffic that flows between those two interfaces; rather than the no nat that works for all traffic initiated in the inside, but restricted with an ACL.