Re: DMZ cannot ping to inside and Inside cannot ping to DMZ?
No, configuration will not be changed, as that is just the NAT (translation) portion of the configuration.
If you would like to restrict traffic from DMZ towards inside, you would create ACL to either permit or deny the traffic on specific ports, and apply it to the DMZ interface with the access-group command.
If you would like to restrict traffic from inside towards DMZ, then you would add ACL to either permit or deny traffic and apply it to the inside interface.
--> that basically means translating the 10.2.2.0/24 subnet to 10.3.3.0/24 subnet which is not what you are trying to achieve. You can not translate real ip address to another real ip address. Since both 10.3.3.0/24 and 10.2.2.0/24 are real ip subnets applied to the hosts on DMZ and inside respectively, the command is incorrect.
You can translate the inside subnet to a spare unique subnet if you like, and also translate DMZ subnet to a spare unique subnet, however, you can't translate inside subnet to dmz subnet and vice versa.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...