Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT behavior in ASA 8.4 versus 9.0

Unanswered Question
Mar 20th, 2014
User Badges:

I have this configuration:

<span style="font-family: 'courier new', courier, monospace; font-size: 12px;">int g0<br />&nbsp;&nbsp;ip address<br />&nbsp;&nbsp;nameif inside<br />&nbsp;&nbsp;security-level 100<br />int g1<br />&nbsp;&nbsp;ip address<br />&nbsp;&nbsp;nameif outside<br />&nbsp;&nbsp;security-level 0<br />int g2<br />&nbsp;&nbsp;ip address<br />&nbsp;&nbsp;nameif DMZ<br />&nbsp;&nbsp;security-level 50</span><font face="courier new, courier, monospace">route outside</font><span style="font-family: 'courier new', courier, monospace; font-size: 12px;">object network REAL<br />&nbsp;&nbsp;</span><span style="font-family: 'courier new', courier, monospace; font-size: 12px;">host</span><span style="font-size:12px;"><span style="font-family:courier new,courier,monospace;">object network MAPPED<br />&nbsp; host</span></span><span style="font-size:12px;"><span style="font-family:courier new,courier,monospace;">nat (inside,DMZ) source static any any destination static MAPPED REAL unidirectional</span></span>

------------------ is a server in the DMZ. Its public IP address to the internet is  I want to be able to reach the server from the inside interface using its REAL and MAPPED ip addresses. Furthermore, I want to be able to reach hosts on the inside network from that server using the server's real IP address. So, I only want it NATted when the inside host is trying to communicate with the server using its public IP.

In ASA 8.4.2, I was able to use the nat statement above and got the behavior I wanted. The ASA would know that the destination interface is "DMZ", NAT the traffic, and send it directly to the server.

In ASA 9.1.2, this doesn't work. The ASA wants to use the default route which tells it that the outgoing interface should be 'outside'. I had to do nat (inside,outside) . But the problem with this is that now, the ASA is NATing it, sending it to the next hop on the outside who sends it back to the ASA. The ASA delivers it and it appears to work.  

In my ASA 9.1.4 box, it also doesn't work. Also, it doesn't allow hosts on the inside to access the DMZ server using its real IP address anymore.


Does anyone have any insight regarding how to get ASA 9.1.2 to work like ASA 8.4? 


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Mike Williams Thu, 03/20/2014 - 19:35
User Badges:
  • Bronze, 100 points or more

As far as I am aware, there were no major NAT changes from 8.4 to 9.x, or at least I haven't seen them in the release notes. Have you tried opening a TAC case?

When you say that it's forcing you to use nat(inside,outside), how is it forcing that? I had a similar, but bidirectional, setup on a 9.14 ASA without any issues.

What's the requirement driving the need to access the server via both it's real and mapped IP?



LA-Engineer Thu, 03/20/2014 - 21:17
User Badges:

I have not opened a case yet. I will tomorrow.


I meant the situation is forcing me to use nat(inside,outside) because nat(inside,DMZ) syntax is not working as expected.


We have another subnet behind the inside interface where the hosts are using a DNS server on the internet.  Therefore, the IP address for the server resolves to its external IP.


This Discussion