Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA: Security Level effect on NAT

Hi Guys,

I have an ASA configured with 2 interfaces called DMZa and DMZb. DMZa has Security Level 20 and DMZb has security level 15.

NAT exemption is configured as follows:

nat (DMZa) 1.0.0.0 255.0.0.0

nat (DMZb) 0 0.0.0.0 0.0.0.0

Even though an ACE exists permitting access I find I that I am unable to connect to server 1.1.1.1 from DMZb (say client IP is 2.2.2.2) unless I define a static nat rule for the server 1.1.1.1.

As soon as I put the rule static (DMZa,DMZb) 1.1.1.1 1.1.1.1 into the ASA everything works fine

Can someone explain this to me? Shouldnt nat exmpetion be in place given the exemptions rules I put in. And if so, why do I then need to create a static nat rule to get this working?

Thanks in advance

Rgds

Scott

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA: Security Level effect on NAT

Yes, going from low security level to higher security level, you would need either static NAT statement or NAT exemption.

NAT exemption is NAT 0 with ACL, eg: nat (DMZb) 0 access-list

Your configuration: "nat (DMZb) 0 0.0.0.0 0.0.0.0" falls under the dynamic NAT order of operation which is the least priority.

Hope that makes sense.

2 REPLIES
Cisco Employee

Re: ASA: Security Level effect on NAT

Yes, going from low security level to higher security level, you would need either static NAT statement or NAT exemption.

NAT exemption is NAT 0 with ACL, eg: nat (DMZb) 0 access-list

Your configuration: "nat (DMZb) 0 0.0.0.0 0.0.0.0" falls under the dynamic NAT order of operation which is the least priority.

Hope that makes sense.

New Member

Re: ASA: Security Level effect on NAT

Thanks Jennnifer, you're right on the money (I actually found this out via a URL you had pr

ovided in an earlier post of mine - thanks heaps)

Cheers

Scott

475
Views
0
Helpful
2
Replies
CreatePlease to create content