Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.3 Inside to DMZ communication

Hi guys,

I am working on deploying an ASA 5520 with 8.3.  The issue I am having is pretty simple.  What is the best way for me to allow traffic to communicate between my Inside network and my DMZ in regards to NAT.

Please keep in mind that 8.3 changes things with NAT commands.

Thanks for your help

Josh

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ASA 8.3 Inside to DMZ communication

By default, ASA 8.3 does not enforce nat-control (the command in 8.2 and lower that forced a nat translation to be required in order for the connection to be successful)

If you had nat-control enabled before you migrated, then you will have a nat-control equivalent configuration. You can see the configuration that it makes here.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

So in theory, if your ASA is setup correctly, you shouldn't need a nat statement.

However, if you are having issues, I suggest identity nat, its easy to configure and often solves most issues.

Below is an example where I translate 192.168.1.0 to 192.168.1.0 when it goes to the dmz

obj network insideNetwork

  subnet subnet 192.168.1.0 255.255.255.0

object network insideDmz

  subnet 192.168.1.0 255.255.255.0

  nat (inside,dmz) static insideNetwork

4 REPLIES
Cisco Employee

Re: ASA 8.3 Inside to DMZ communication

Hello,

As long as you do not have any NAT requirements when you are going to DMZ,

you can use identity NAT which will enable bidirectional communication.

Object network

Nat (inside,dmz) static name1

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_o

bjects.html#wp1108647

Hope this helps.

Regards,

NT

New Member

Re: ASA 8.3 Inside to DMZ communication

Just noticed something....correct me if I am wrong.

Do I even need a NAT setup to ping from an inside address to a dmz address?

Example:

Host 10.10.10.5 on the inside network can pinging host 192.168.1.5 on the dmz network.

Is this possible without ever setting up any type of identity nat or nat 0?

New Member

Re: ASA 8.3 Inside to DMZ communication

By default, ASA 8.3 does not enforce nat-control (the command in 8.2 and lower that forced a nat translation to be required in order for the connection to be successful)

If you had nat-control enabled before you migrated, then you will have a nat-control equivalent configuration. You can see the configuration that it makes here.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

So in theory, if your ASA is setup correctly, you shouldn't need a nat statement.

However, if you are having issues, I suggest identity nat, its easy to configure and often solves most issues.

Below is an example where I translate 192.168.1.0 to 192.168.1.0 when it goes to the dmz

obj network insideNetwork

  subnet subnet 192.168.1.0 255.255.255.0

object network insideDmz

  subnet 192.168.1.0 255.255.255.0

  nat (inside,dmz) static insideNetwork

New Member

Re: ASA 8.3 Inside to DMZ communication

Thanks, that answers my question.  I am not migrating so everything is working without nat-control.  I was just confused that no identity nat had been setup and i was still able to communicate successfully.  I believe that answers my question.

Thanks,
Josh

1365
Views
0
Helpful
4
Replies