I have an ASA with an inside, outside and dmz interface. I had a situation the other day where I needed to troubleshoot why a host off the dmz could not communicate with a host off the inside interface. I have a nat-exemption on the dmz interface that permits the dmz host to talk to the inside host without NAT, via the following:
nat (dmz) 0 access-list dmz-nat-exempt
access-list dmz-nat-exempt permit ip host 172.16.1.1 host 192.168.200.1
Note, I have an interface based access list on the dmz interface that allows the above communication as well.
I was under the impression that the nat-exempt statement above would allow the traffic, however, the firewall logs showed "no translation group found" when the dmz host 172.16.1.1 tried to communicate with the inside host 192.168.200.1. I was confused as to why it was doing this, but out of curiosity, I added the following to the inside interface:
nat (inside) 0 access-list inside-nat-exempt
access-list inside-nat-exempt permit ip host 192.168.200.1 host 172.16.1.1
Once I had that NAT-exemption in place, communication started working. I am confused as to why it was necessary to put the no NAT on the inside interface? All the communication between the DMZ and inside was initiated from the dmz, and I would have thought the DMZ no NAT would have been enough. Why is a no NAT for the return traffic necessary? What am I not understanding here?