confused on why NAT statement was needed

Unanswered Question
Apr 12th, 2010
User Badges:

I have an ASA with an inside, outside and dmz interface. I had a situation the other day where I needed to troubleshoot why a host off the dmz could not communicate with a host off the inside interface. I have a nat-exemption on the dmz interface that permits the dmz host to talk to the inside host without NAT, via the following:

nat (dmz) 0 access-list dmz-nat-exempt
access-list dmz-nat-exempt permit ip host host

Note, I have an interface based access list on the dmz interface that allows the above communication as well.

I was under the impression that the nat-exempt statement above would allow the traffic, however, the firewall logs showed "no translation group found" when the dmz host tried to communicate with the inside host I was confused as to why it was doing this, but out of curiosity, I added the following to the inside interface:

nat (inside) 0 access-list inside-nat-exempt
access-list inside-nat-exempt permit ip host host

Once I had that NAT-exemption in place, communication started working. I am confused as to why it was necessary to put the no NAT on the inside interface? All the communication between the DMZ and inside was initiated from the dmz, and I would have thought the DMZ no NAT would have been enough. Why is a no NAT for the return traffic necessary? What am I not understanding here?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 04/12/2010 - 06:38
User Badges:
  • Cisco Employee,

The NAT exemption statement should be configured on the higher security level interface. In your case, I assume inside has higher security level interface than dmz, therefore you would need to configure NAT exemption on the inside interface, and the NAT exemption is bidirectional.

Hope that helps.


This Discussion