Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2177
Views
0
Helpful
6
Replies

ROUTE traffic between Inside interface to DMZ interface, instead of NAT

Go to solution
Difan Zhao
Level 5
Level 5

‎11-24-2009 08:24 AM - edited ‎03-11-2019 09:42 AM

Good day everybody!

I am just asking a possibility. My scenario is simple: 3 interfaces (inside, outside and dmz) and their security levels are 100, 0 and 50, repectively. Is there a way to route the traffic from inside to dmz (without changing source IP address after passed through the firewall) while still allow NAT between inside and outside interfaces? If there is, could you please also post necessary configuration here? Thank you!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
grant.maynard
Level 4
Level 4
In response to Difan Zhao

‎11-24-2009 09:52 AM

config looks fine to me, except for the stray "outside" on the end of "nat (inside) 0 access-list ACL_dmz. The "outside" keyword should be added if the interface with the nat statement is on a lower security level than the interface you identify by the matching global statement,

With OS v7.x or 8.x you could just turn off NAT for the whole firewall - "no nat-control". This means NAT is used if defined, else everything is assumed to be no-NAT.

Also with v7.x you could do a packet capture on the dmz interface to see what's happening.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎11-24-2009 09:24 AM

No NAT is needed from higher security interfaces to lower ones. The reason we use a NAT to outside is because we use RFC1918 addressing on the inside and it needs to be translated to a public IP.

0 Helpful

Go to solution
Difan Zhao
Level 5
Level 5
In response to Collin Clark

‎11-24-2009 09:30 AM

Hi Collin thanks for quick reply! Actually my addressing on inside is 10.1.1.0/24 and on dmz is 172.30.0.0/16. As you can see they are both private addresses. All the traffic going to the outside interface will be NATed. I just want traffic between inside and dmz to be routed, not NATed. Is this possible? Thanks!

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Difan Zhao

‎11-24-2009 09:36 AM

Yes you can. No NAT is needed going from higher security interface to lowers ones (you're going from 100 to 50). If you we're going from the DMZ to the inside you would need NAT.and to disable it you would NAT0 the address spaces.

0 Helpful

Go to solution
Difan Zhao
Level 5
Level 5
In response to Collin Clark

‎11-24-2009 09:44 AM

Actually I just configured the ASA and tested but not working. Here is my config:

interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.30.1.1 255.255.0.0

access-list ACL_dmz extended permit ip 10.1.1.0 255.255.255.0 172.30.0.0 255.255.0.0 log

nat (inside) 0 access-list ACL_dmz outside

access-list ACL_dmz_in extended permit ip any any

access-group ACL_dmz_in in interface dmz

I just configured off top of my head. There might be stupid mistakes... Please take a look. I won't have time working on it today. But I will definitely try fix it tomorrow. Thank you!

0 Helpful

Go to solution
grant.maynard
Level 4
Level 4
In response to Difan Zhao

‎11-24-2009 09:52 AM

config looks fine to me, except for the stray "outside" on the end of "nat (inside) 0 access-list ACL_dmz. The "outside" keyword should be added if the interface with the nat statement is on a lower security level than the interface you identify by the matching global statement,

With OS v7.x or 8.x you could just turn off NAT for the whole firewall - "no nat-control". This means NAT is used if defined, else everything is assumed to be no-NAT.

Also with v7.x you could do a packet capture on the dmz interface to see what's happening.

0 Helpful

Go to solution
Difan Zhao
Level 5
Level 5
In response to grant.maynard

‎11-25-2009 02:33 PM

yup after I removed the "outside" keyword from the NAT statement it worked... Thank you!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card