My questiion has two parts. The first part is that in first example documents. the DMZ ip is:192.168.1.0/24, when they use nat they use static (inside,DMZ) 192.168.2.20 172.20.1.5 netmask 255.255.255.255. the ip is 192.168.2.0. it is 192.168.2.20 not 192.168.1.20 different sub net.
the seocnd question I have is: is that best practice to use real ip when you want to configure communcation from inside to DMZ? is using nat more scurity that real ip?
"here the ip given is 192.168.2.20. why is 192.168.2.20. not 192.168.1.20? Is that misatke?"
most likely it is a typo mistake. Having said that as long as routing is configured correctly 192.168.2.20 could also be used.
" what is reason using real ip? just easy? Does this give less security than by using PAT? "
The command (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0. is basically providing space for 254 static nats in one single instruction which otherwise would have to be entered one by one. In some scenarios you require to access the REAL IP address from the DMZ segment towards the internal and so in that situation you would use this type of instruction. Of course you can control that access by applying appropriate ACL entries to the dmz interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...