Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA problem with NAT



I would like to accomplish following task : 


I have some DMZ zone on ASA. It has access only to internet, not to inside network. This is network used for visitors.

I would like to perform nat from inside subnet to DMZ and then from DMZ to outside. Why?


We have two facilities, only one ASA as GW. I cannot directly connect second facility to ASA.


So let's say I need for example network /24 to be nated to DMZ interface. And DMZ interface has nat (DMZ,outside) source dynamic DMZ-LAN interface


Problem I have is, ASA cannot do NAT from inside network to DMZ. Inside to outside works just fine. See the config part below : 


interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address


interface GigabitEthernet0/3
 nameif DMZ
 security-level 50
 ip address


nat (inside,DMZ) after-auto source dynamic WIFI_NAT ( interface - this is command ASA ignores

nat (DMZ,outside) after-auto source dynamic DMZ interface - this command works fine (dmz network can access internet)

nat (inside,outside) after-auto source dynamic ( interface - this command works fine, subnet can access internet.


Access lists are set for test purpose all to permit ip any any. 


Any ideas, why xlate from inside to DMZ is not working?


Thank you.



Everyone's tags (1)
New Member

What code are you running?

What code are you running? Why not use object NAT?


object network Inside


nat (inside,dmz) dynamic interface


So anyone coming into the DMZ from the Inside will NAT to




New Member

I am running 9.1.2. I guess

I am running 9.1.2.


I guess object nat is almost the same as command "nat (inside,DMZ) source dynamic interface, isn't it? 


And, I tried that, does not work :-)


Looks like DMZ interface didn't know where to forward the traffic, so no NAT is performed. I tried to remove default route on outside (to internet) and then "nat (inside,outside)" was not working as well.


But I can't add another route for inteface DMZ...And DMZ should know the "default route" by command "nat (DMZ,outside) source dynamic DMZ interface.

Thx anyway for you suggestion.


edit : I managed to inside network be translated finally.


nat (inside,dmz) source dynamic pat-pool PAT-POOL interface destination static ANY any; PAT-POOL is ip address from DMZ subnet

UDP PAT from inside: to dmz: flags ri idle 0:00:10 timeout 0:00:30
UDP PAT from inside: to dmz: flags ri idle 0:00:24 timeout 0:00:30
UDP PAT from inside: to dmz: flags ri idle 0:00:24 timeout 0:00:30
ICMP PAT from inside: to dmz: flags ri idle 0:00:01 timeout 0:00:30


But but even if I have "nat (dmz,outside) source dynamic dmz interface" command, cannot reach internet :-/




CreatePlease login to create content