I have a Cisco ASA running 8.2 in routed mode.
The ASA has three interfaces, inside, outside and DMZ. They connect to the following three networks:
I have the following dynamic PAT configuration:
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 126.96.36.199
nat control is turned off.
By my understanding any traffic from the inside to outside interface will be PATted to 188.8.131.52. However, communications between inside and the DMZ will not be PATted, and should work with no problems.
This seems to be corroborated by this document:
"The adaptive security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues."
I may have misunderstood the above statement.
I found this guide to configuring NAT/PAT:
"When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected."
Bit sneaky to not add this as a caveat in the configuration guide.
My problem is that packet tracer does not seem to bear me out. It tells me the packet is dropped due to "no matching global" when I source traffic from the inside interface and send it to the DMZ.
Does anyone have any ideas as to why this is? It seems odd that you'd have to configure nat exemption to communicate to every single other interface just to facilitate PAT between one interface pair.