ASA 8.4 static NAT needed from DMZ to inside

wilson_1234_2 · ‎04-14-2014

I have Cisco ASA 5500 8.4, with NAT configured from inside interface to DMZ to be dynamic translation of Interface on DMZ.

So, any traffic sourced from inside, going to DMZ, looks as if sourced from DMZ interface:

object network obj-10.0.0.0

nat (inside,DMZ) dynamic interface

inside (10.0.0.0)---DMZ (172.16.0.0)

If I have a device in the DMZ that I need to send traffic back to a device on the inside, do I need a static NAT for this?

I remember seeing that in version 8.3 and later, you do not need to NAT across the interfaces.

For example, If I want a device in DMZ to get to 10.10.10.10

Do I need a NAT like the below?

object network Server
nat (inside,DMZ) static 10.10.10.10

Rudy Sanjoko · ‎04-15-2014

Hi, if you are saying that a device in DMZ needs to send traffic back, I assume that the traffic is originated from a device located in the inside network. If this is the case, you don't need to define a static NAT as the ASA will still have the traffic translation originating from inside network.

Let's see another example, if your inside host try to have access to internet, normally you would configure just PAT on the outside interface and they will have internet access. You don't need to define a static NAT to allow traffic back to that inside host.

Typically when you need to have static NAT is when you want people outside your inside network to access resources in your inside network. This is because the traffic will be originated from outside/DMZ network, not from inside.

Poonam Garg · ‎04-15-2014

when you do static object NAT then it will take precedence over your dynamic interface NAT. Server in inside and device in DMZ will see each other real IP address instead of ASA Dmz interface IP address when you ping from yr inside server.