Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT/PAT Configuration on ASA

Hi Guys,

I have an ASA 5510 running OS image 7.0 (6). I am trying to understand how NAT/PAT works on these boxes.

I have a subnet, 10.0.0.0/24 that access a DMZ (eg. subnet 2.0.0.0/24). When accessing this DMZ I do not want any translation to occur. How do I configure this in the ASA?

I notice a line similar to the following already in place:

static (inside, DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

My question is, doesnt this just PAT everything to 10.0.0.0?


Thanks

Rgds

Scott

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: NAT/PAT Configuration on ASA

The following line:

static (inside, DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

basically means that no translation will occur for the whole 10.0.0.0/24 network. It's 1:1 NAT to itself, which essentially is no translation as the local and translated subnet in the above static statement is the same.

Inside network can access DMZ network, and vice versa without any translation. From DMZ network to access the inside network, if DMZ interface security level is lower than inside interface, you would need to configure access-list to allow/permit the traffic to be initiated from the DMZ network.

Hope that helps.

2 REPLIES
Cisco Employee

Re: NAT/PAT Configuration on ASA

The following line:

static (inside, DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

basically means that no translation will occur for the whole 10.0.0.0/24 network. It's 1:1 NAT to itself, which essentially is no translation as the local and translated subnet in the above static statement is the same.

Inside network can access DMZ network, and vice versa without any translation. From DMZ network to access the inside network, if DMZ interface security level is lower than inside interface, you would need to configure access-list to allow/permit the traffic to be initiated from the DMZ network.

Hope that helps.

New Member

Re: NAT/PAT Configuration on ASA

Thanks so much

229
Views
0
Helpful
2
Replies
CreatePlease login to create content