cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1810
Views
0
Helpful
4
Replies

ASA 8.3 Inside to DMZ communication

Joshua Engels
Level 1
Level 1

Hi guys,

I am working on deploying an ASA 5520 with 8.3.  The issue I am having is pretty simple.  What is the best way for me to allow traffic to communicate between my Inside network and my DMZ in regards to NAT.

Please keep in mind that 8.3 changes things with NAT commands.

Thanks for your help

Josh

1 Accepted Solution

Accepted Solutions

By default, ASA 8.3 does not enforce nat-control (the command in 8.2 and lower that forced a nat translation to be required in order for the connection to be successful)

If you had nat-control enabled before you migrated, then you will have a nat-control equivalent configuration. You can see the configuration that it makes here.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

So in theory, if your ASA is setup correctly, you shouldn't need a nat statement.

However, if you are having issues, I suggest identity nat, its easy to configure and often solves most issues.

Below is an example where I translate 192.168.1.0 to 192.168.1.0 when it goes to the dmz

obj network insideNetwork

  subnet subnet 192.168.1.0 255.255.255.0

object network insideDmz

  subnet 192.168.1.0 255.255.255.0

  nat (inside,dmz) static insideNetwork

View solution in original post

4 Replies 4

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

As long as you do not have any NAT requirements when you are going to DMZ,

you can use identity NAT which will enable bidirectional communication.

Object network

Nat (inside,dmz) static name1

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_o

bjects.html#wp1108647

Hope this helps.

Regards,

NT

Just noticed something....correct me if I am wrong.

Do I even need a NAT setup to ping from an inside address to a dmz address?

Example:

Host 10.10.10.5 on the inside network can pinging host 192.168.1.5 on the dmz network.

Is this possible without ever setting up any type of identity nat or nat 0?

By default, ASA 8.3 does not enforce nat-control (the command in 8.2 and lower that forced a nat translation to be required in order for the connection to be successful)

If you had nat-control enabled before you migrated, then you will have a nat-control equivalent configuration. You can see the configuration that it makes here.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

So in theory, if your ASA is setup correctly, you shouldn't need a nat statement.

However, if you are having issues, I suggest identity nat, its easy to configure and often solves most issues.

Below is an example where I translate 192.168.1.0 to 192.168.1.0 when it goes to the dmz

obj network insideNetwork

  subnet subnet 192.168.1.0 255.255.255.0

object network insideDmz

  subnet 192.168.1.0 255.255.255.0

  nat (inside,dmz) static insideNetwork

Thanks, that answers my question.  I am not migrating so everything is working without nat-control.  I was just confused that no identity nat had been setup and i was still able to communicate successfully.  I believe that answers my question.

Thanks,
Josh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: