confused on why NAT statement was needed

mjsully · ‎04-12-2010

I have an ASA with an inside, outside and dmz interface. I had a situation the other day where I needed to troubleshoot why a host off the dmz could not communicate with a host off the inside interface. I have a nat-exemption on the dmz interface that permits the dmz host to talk to the inside host without NAT, via the following:

nat (dmz) 0 access-list dmz-nat-exempt
access-list dmz-nat-exempt permit ip host 172.16.1.1 host 192.168.200.1

Note, I have an interface based access list on the dmz interface that allows the above communication as well.

I was under the impression that the nat-exempt statement above would allow the traffic, however, the firewall logs showed "no translation group found" when the dmz host 172.16.1.1 tried to communicate with the inside host 192.168.200.1. I was confused as to why it was doing this, but out of curiosity, I added the following to the inside interface:

nat (inside) 0 access-list inside-nat-exempt
access-list inside-nat-exempt permit ip host 192.168.200.1 host 172.16.1.1

Once I had that NAT-exemption in place, communication started working. I am confused as to why it was necessary to put the no NAT on the inside interface? All the communication between the DMZ and inside was initiated from the dmz, and I would have thought the DMZ no NAT would have been enough. Why is a no NAT for the return traffic necessary? What am I not understanding here?

Jennifer Halim · ‎04-12-2010

The NAT exemption statement should be configured on the higher security level interface. In your case, I assume inside has higher security level interface than dmz, therefore you would need to configure NAT exemption on the inside interface, and the NAT exemption is bidirectional.

Hope that helps.