11-18-2010 04:42 PM - edited 03-11-2019 12:11 PM
Hi Guys,
I have an ASA configured with 2 interfaces called DMZa and DMZb. DMZa has Security Level 20 and DMZb has security level 15.
NAT exemption is configured as follows:
nat (DMZa) 1.0.0.0 255.0.0.0
nat (DMZb) 0 0.0.0.0 0.0.0.0
Even though an ACE exists permitting access I find I that I am unable to connect to server 1.1.1.1 from DMZb (say client IP is 2.2.2.2) unless I define a static nat rule for the server 1.1.1.1.
As soon as I put the rule static (DMZa,DMZb) 1.1.1.1 1.1.1.1 into the ASA everything works fine
Can someone explain this to me? Shouldnt nat exmpetion be in place given the exemptions rules I put in. And if so, why do I then need to create a static nat rule to get this working?
Thanks in advance
Rgds
Scott
Solved! Go to Solution.
11-18-2010 04:49 PM
Yes, going from low security level to higher security level, you would need either static NAT statement or NAT exemption.
NAT exemption is NAT 0 with ACL, eg: nat (DMZb) 0 access-list
Your configuration: "nat (DMZb) 0 0.0.0.0 0.0.0.0" falls under the dynamic NAT order of operation which is the least priority.
Hope that makes sense.
11-18-2010 04:49 PM
Yes, going from low security level to higher security level, you would need either static NAT statement or NAT exemption.
NAT exemption is NAT 0 with ACL, eg: nat (DMZb) 0 access-list
Your configuration: "nat (DMZb) 0 0.0.0.0 0.0.0.0" falls under the dynamic NAT order of operation which is the least priority.
Hope that makes sense.
11-22-2010 12:58 AM
Thanks Jennnifer, you're right on the money (I actually found this out via a URL you had pr
ovided in an earlier post of mine - thanks heaps)
Cheers
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide