NAT/PAT Configuration on ASA

Answered Question
May 6th, 2010

Hi Guys,

I have an ASA 5510 running OS image 7.0 (6). I am trying to understand how NAT/PAT works on these boxes.

I have a subnet, 10.0.0.0/24 that access a DMZ (eg. subnet 2.0.0.0/24). When accessing this DMZ I do not want any translation to occur. How do I configure this in the ASA?

I notice a line similar to the following already in place:

static (inside, DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

My question is, doesnt this just PAT everything to 10.0.0.0?


Thanks

Rgds

Scott

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

The following line:

static (inside, DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

basically means that no translation will occur for the whole 10.0.0.0/24 network. It's 1:1 NAT to itself, which essentially is no translation as the local and translated subnet in the above static statement is the same.

Inside network can access DMZ network, and vice versa without any translation. From DMZ network to access the inside network, if DMZ interface security level is lower than inside interface, you would need to configure access-list to allow/permit the traffic to be initiated from the DMZ network.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Thu, 05/06/2010 - 19:19

The following line:

static (inside, DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

basically means that no translation will occur for the whole 10.0.0.0/24 network. It's 1:1 NAT to itself, which essentially is no translation as the local and translated subnet in the above static statement is the same.

Inside network can access DMZ network, and vice versa without any translation. From DMZ network to access the inside network, if DMZ interface security level is lower than inside interface, you would need to configure access-list to allow/permit the traffic to be initiated from the DMZ network.

Hope that helps.

Actions

This Discussion