Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to achieve PAT for one of two outside interfaces only?

Hi all,

I am looking for help in setting up address translation on an ASA (version 7.2) with the following scenario:

-- four network interfaces: inside, DMZ1, DMZ2, outside

-- inside and DMZ1 have limited number of subnets, DMZ2 has many subnets (routing via OSPF), outside is Internet (routing via static default route)

-- source addresses should be translated to a global address (PAT) for communications from inside or DMZ1 to outside (DMZ2 does not need to communicate with outside)

-- real addresses without translation (source or destination) should be used for communications between inside, DMZ1 and DMZ2

The problem I could not overcome is the "nat (inside)" configuration: the subnets in DMZ2 (and DMZ1) need to be exempted, but there are too many to make an ACL viable. Besides, this would thwart the advantage of using a routing protocol instead of static routing.

Can anybody suggest a NAT configuration that achieves the desired results?

Thanks and regards



Re: How to achieve PAT for one of two outside interfaces only?


you can try this

access-list nonat permit ip (DMZ1 subnet ip address) (DMZ2 subnet ip address)

nat (inside) 0 access-list nonat

HTH, please rate it

New Member

Re: How to achieve PAT for one of two outside interfaces only?

Hello zulgurnain,

thank you, basically this would work. Unfortunately, DMZ2 has a couple of hundreds of subnets, which also change frequently (this is why I use a routing protocol on that interface). Therefore, I am looking for a configuration where I do not need to enumerate the DMZ2 subnets in an ACL (or object group). Any suggestions?

DMZ1 has only the connected subnet, so this is no problem.