Solved: Re: ASA: Security Level effect on NAT

Scott Cannon · ‎11-18-2010

Hi Guys,

I have an ASA configured with 2 interfaces called DMZa and DMZb. DMZa has Security Level 20 and DMZb has security level 15.

NAT exemption is configured as follows:

nat (DMZa) 1.0.0.0 255.0.0.0

nat (DMZb) 0 0.0.0.0 0.0.0.0

Even though an ACE exists permitting access I find I that I am unable to connect to server 1.1.1.1 from DMZb (say client IP is 2.2.2.2) unless I define a static nat rule for the server 1.1.1.1.

As soon as I put the rule static (DMZa,DMZb) 1.1.1.1 1.1.1.1 into the ASA everything works fine

Can someone explain this to me? Shouldnt nat exmpetion be in place given the exemptions rules I put in. And if so, why do I then need to create a static nat rule to get this working?

Thanks in advance

Rgds

Scott

Jennifer Halim · ‎11-18-2010

Yes, going from low security level to higher security level, you would need either static NAT statement or NAT exemption.

NAT exemption is NAT 0 with ACL, eg: nat (DMZb) 0 access-list

Your configuration: "nat (DMZb) 0 0.0.0.0 0.0.0.0" falls under the dynamic NAT order of operation which is the least priority.

Hope that makes sense.

View solution in original post

Jennifer Halim · ‎11-18-2010

Yes, going from low security level to higher security level, you would need either static NAT statement or NAT exemption.

NAT exemption is NAT 0 with ACL, eg: nat (DMZb) 0 access-list

Your configuration: "nat (DMZb) 0 0.0.0.0 0.0.0.0" falls under the dynamic NAT order of operation which is the least priority.

Hope that makes sense.

Scott Cannon · ‎11-22-2010

Thanks Jennnifer, you're right on the money (I actually found this out via a URL you had pr

ovided in an earlier post of mine - thanks heaps)

Cheers

Scott