Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

confused on why NAT statement was needed

I have an ASA with an inside, outside and dmz interface. I had a situation the other day where I needed to troubleshoot why a host off the dmz could not communicate with a host off the inside interface. I have a nat-exemption on the dmz interface that permits the dmz host to talk to the inside host without NAT, via the following:

nat (dmz) 0 access-list dmz-nat-exempt
access-list dmz-nat-exempt permit ip host host

Note, I have an interface based access list on the dmz interface that allows the above communication as well.

I was under the impression that the nat-exempt statement above would allow the traffic, however, the firewall logs showed "no translation group found" when the dmz host tried to communicate with the inside host I was confused as to why it was doing this, but out of curiosity, I added the following to the inside interface:

nat (inside) 0 access-list inside-nat-exempt
access-list inside-nat-exempt permit ip host host

Once I had that NAT-exemption in place, communication started working. I am confused as to why it was necessary to put the no NAT on the inside interface? All the communication between the DMZ and inside was initiated from the dmz, and I would have thought the DMZ no NAT would have been enough. Why is a no NAT for the return traffic necessary? What am I not understanding here?

Cisco Employee

Re: confused on why NAT statement was needed

The NAT exemption statement should be configured on the higher security level interface. In your case, I assume inside has higher security level interface than dmz, therefore you would need to configure NAT exemption on the inside interface, and the NAT exemption is bidirectional.

Hope that helps.

CreatePlease to create content