Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static NAT on ASA query

Hi,

Given the below setting:

static (dmz,outside) 33.33.33.1 10.0.0.1 netmask 255.255.255.255

If a packet comes from the inside to destination 33.33.33.1, how will the inspection and traffic flow go?

I am thinking that the firewall, upon receipt of the packet from an inside host, will forward the packet to the outside interface.  Upon reaching the outside interface, since there is no ACL applied on the outside that will allow inside IP addresses to enter the DMZ zone, the packet get dropped.

Is the above analysis correct?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Static NAT on ASA query

Hello,

Sure, There will be no problem.

Try it out and let us know.

Thanks !

Mike
3 REPLIES
Cisco Employee

Re: Static NAT on ASA query

Hello,

Mike here I hope you are doing great. Not exactly, You will be able to access that resource only if you run DNS doctoring, Otherwise what you will be doing will be a hairping on the outside interface which is not allowed on the firewall. My suggestion for you if you want to access this host that is on the DMZ with the mapped IP, you can configure something like this

static (dmz,inside) 33.33.33.1 10.0.0.1 netmask 255.255.255.255

That way you will be able to access that resource with the Mapped IP instead of using the private. Here is a document for reference.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Hope it helps.

Mike

Mike
New Member

Re: Static NAT on ASA query

Hi Maykol,

Thanks for the reply.

If i have both configurations running on the firewall, will it work?

static (dmz,outside) 33.33.33.1 10.0.0.1 netmask 255.255.255.255

static (dmz,inside) 33.33.33.1 10.0.0.1 netmask 255.255.255.255

Thanks again.

Cisco Employee

Re: Static NAT on ASA query

Hello,

Sure, There will be no problem.

Try it out and let us know.

Thanks !

Mike
257
Views
0
Helpful
3
Replies
CreatePlease to create content