I have an ASA with an inside, outside and dmz interface. I had a situation the other day where I needed to troubleshoot why a host off the dmz could not communicate with a host off the inside interface. I have a nat-exemption on the dmz interface that permits the dmz host to talk to the inside host without NAT, via the following:
Note, I have an interface based access list on the dmz interface that allows the above communication as well.
I was under the impression that the nat-exempt statement above would allow the traffic, however, the firewall logs showed "no translation group found" when the dmz host 172.16.1.1 tried to communicate with the inside host 192.168.200.1. I was confused as to why it was doing this, but out of curiosity, I added the following to the inside interface:
Once I had that NAT-exemption in place, communication started working. I am confused as to why it was necessary to put the no NAT on the inside interface? All the communication between the DMZ and inside was initiated from the dmz, and I would have thought the DMZ no NAT would have been enough. Why is a no NAT for the return traffic necessary? What am I not understanding here?
The NAT exemption statement should be configured on the higher security level interface. In your case, I assume inside has higher security level interface than dmz, therefore you would need to configure NAT exemption on the inside interface, and the NAT exemption is bidirectional.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :