Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

DMZ NAT question

I am configuring a new ASA with a DMZ for my web server. I need to have certain websites able to pass traffic to SQL servers on the inside interface and people from the inside able to hit websites on the web server, but I want to make sure that the IPs of the traffic being passed between the DMZ and the Inside are their actual IPs (not NAT'd). Do I need to create a 'no-nat' access list statement for this and place it in a NAT statement for the DMZ? Would the following work?

Inside is 192.168.200.0/21

DMZ is 192.168.0.0/24

access-list nonat permit ip 192.168.200.0 255.255.248.0 192.168.0.0 255.255.255.0

nat (dmz) 0 access-list nonat

nat (dmz) 10 0.0.0.0 0.0.0.0

global (outside) 10 interface

5 REPLIES
New Member

Re: DMZ NAT question

Hi,

I believe the access-list should be the other way around:

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.248.0

This will allow traffic from the DMZ to be exempted from the NAT translation when their destination is the inside.

To achieve two way traffic between DMZ and inside do:

access-list nonat1 permit ip 192.168.200.0 255.255.248.0 192.168.0.0 255.255.255.0

access-list nonat2 permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.248.0

nat (dmz) 0 access-list nonat1

nat (dmz) 0 access-list nonat2

and it should also have

global (dmz) 10 interface

HTH and please rate if it does.

Regards,

Paulo

Green

Re: DMZ NAT question

I don't think you can have 2 nat exempt statements for the same interface.

Another way of doing this is simply...

static (inside,dmz) 192.168.200.0 192.168.200.0 255.255.255.0

New Member

Re: DMZ NAT question

My bad...damn copy+paste :)

What I meant was:

nat (inside) 0 access-list nonat1

nat (dmz) 0 access-list nonat2

Also, you can have two nat exempt statements that do not conflict (and that make sense) applied on the same interface. I have it in one of my configurations and working ok.

Regards,

Paulo

New Member

Re: DMZ NAT question

By acomiskey:

"Another way of doing this is simply...

static (inside,dmz) 192.168.200.0 192.168.200.0 255.255.255.0"

If I have this static statement in my config then I don't need to worry about bypassing NAT?

Green

Re: DMZ NAT question

Yes. That's all you need.

155
Views
4
Helpful
5
Replies
CreatePlease to create content