ASA 8.3 Inside to DMZ communication

Answered Question
Jul 23rd, 2010

Hi guys,

I am working on deploying an ASA 5520 with 8.3.  The issue I am having is pretty simple.  What is the best way for me to allow traffic to communicate between my Inside network and my DMZ in regards to NAT.

Please keep in mind that 8.3 changes things with NAT commands.

Thanks for your help

Josh

I have this problem too.
0 votes
Correct Answer by August Ritchie about 6 years 4 months ago

By default, ASA 8.3 does not enforce nat-control (the command in 8.2 and lower that forced a nat translation to be required in order for the connection to be successful)

If you had nat-control enabled before you migrated, then you will have a nat-control equivalent configuration. You can see the configuration that it makes here.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

So in theory, if your ASA is setup correctly, you shouldn't need a nat statement.

However, if you are having issues, I suggest identity nat, its easy to configure and often solves most issues.

Below is an example where I translate 192.168.1.0 to 192.168.1.0 when it goes to the dmz

obj network insideNetwork

  subnet subnet 192.168.1.0 255.255.255.0

object network insideDmz

  subnet 192.168.1.0 255.255.255.0

  nat (inside,dmz) static insideNetwork

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joshua Engels Fri, 07/23/2010 - 08:12

Just noticed something....correct me if I am wrong.

Do I even need a NAT setup to ping from an inside address to a dmz address?

Example:

Host 10.10.10.5 on the inside network can pinging host 192.168.1.5 on the dmz network.

Is this possible without ever setting up any type of identity nat or nat 0?

Correct Answer
August Ritchie Fri, 07/23/2010 - 08:29

By default, ASA 8.3 does not enforce nat-control (the command in 8.2 and lower that forced a nat translation to be required in order for the connection to be successful)

If you had nat-control enabled before you migrated, then you will have a nat-control equivalent configuration. You can see the configuration that it makes here.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

So in theory, if your ASA is setup correctly, you shouldn't need a nat statement.

However, if you are having issues, I suggest identity nat, its easy to configure and often solves most issues.

Below is an example where I translate 192.168.1.0 to 192.168.1.0 when it goes to the dmz

obj network insideNetwork

  subnet subnet 192.168.1.0 255.255.255.0

object network insideDmz

  subnet 192.168.1.0 255.255.255.0

  nat (inside,dmz) static insideNetwork

Joshua Engels Fri, 07/23/2010 - 08:32

Thanks, that answers my question.  I am not migrating so everything is working without nat-control.  I was just confused that no identity nat had been setup and i was still able to communicate successfully.  I believe that answers my question.

Thanks,
Josh

Actions

This Discussion