Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Reasons to NAT Inside to DMZ (or DMZ to Inside) ?

I have been looking into this and I can only really find answers on how to technically achieve this, rather than whether it is necessary (or best practice).

Assuming (for example)

Inside /16

DMZ /24

Is there a reason why an inside host should reference a DMZ host by a fixed 172 address NATed to the actual 192 address ?

Or, why a DMZ host should reference an inside host by a fixed 192 address NATed to the actual 172 address ?

Is there a reason why the /24 should not be routable from inside hosts and that the "NAT" should not actually mask the addresses ?

Again, I am more interested in what the objective should be, rather than the NAT rule/exception commands. What are the reasons for/against, what is common practice ?

Any help would be appreciated.

Cisco Employee

Re: Reasons to NAT Inside to DMZ (or DMZ to Inside) ?

It is not necessary or required by no means.

Sometimes people prefer to have their network segmented in a sense that they only have a default gateway to browse the internet and everything else is local to them. In that case the DMZ host will look as inside host to an inside host, but again not necessarily.

Some other times there are multiple hops when you go from the ASA DMZ to the inside host. So when the DMZ host is going to the inside, routing might not be set up in way to reach the ASA before going to the inside. So translating the inside host to a DMZ ip address that there is a route to will be a quick an easy way to keep things working.

Another scenario could be having the email server on the DMZ and your inside DNS server giving out its ip address as an inside one. Then that server needs to be translated.

By no means necessary. DMZ to inside and inside to DMZ do not need to be translated as long as you don't need them to be for some reason and routing is set up properly.


New Member

Re: Reasons to NAT Inside to DMZ (or DMZ to Inside) ?

Working for an MSS, most of our clients that implement this do not route anything but DMZ traffic on the DMZ. Additionally, if there is more than one point of presence on the DMZ, using non dmz addresses may cause DMZ routers to send responses asynchronously via another path.