Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Strange requirement of NO-NAT - NAT (0)


We are having a little odd requirement in ASA configuration. We are implementing microsoft office communicator over internet. The server need to have two ethernet cards one with publically routeable IP address ( Public static IP address ) and one a private IP address. We have placed the server in the DMZ region of ASA. Which has a security level as 50 and ip address as /24. Now the second ethernet card of server needs to be given a static IP which obviously matches to our outside interface IP address subnet. ( ourside ip address : a.b.c.d1 /24 ) and server card is also given a IP the same range a.b.c.d2 /24. We need to forward the packet received on outside i/f with destination IP as a.b.c.d2 without changeing the destination IP address to server. This can be done by satatic(dmz,outside) a.b.c.d2 a.b.c.d2 command.

But our problem is how will the server return this packet as we are not able to give the default gateway to this card and also not able to connet. How can ASA be configured so that packets can be forwarded from outside to DMZ and also from DMZ to outsie. ( server card IP address matches with outside i/f subnet).

Appreciate example on

Thanks in advance.


joe Bronze

Re: Strange requirement of NO-NAT - NAT (0)

Just curious? why does the OCS server need 2 nics? why cant it just use and be natted to a public ip?

Any way if I understand the return traffic is breaking because the server is not directly connected to its default gateway?

my answer...


nat the external source to an ip the server will think is LOCAL. this is usually done by PAT'ing the 4.2 billion or so odd IPv4 space to a single ip address that can be routed from the server to any IP address on its local segment... confused yet? good, I wouldn't want to make this less fun :)

say you do the dmz nat your doing (fine)

now do another...

access-list 101 permit ip any host

(yes let be the public ip of the OCS server)

nat (outside) 10 access-list 101 outside

global (dmz) 10

now on the server


add secondary IP of to the nic on the same broadcast domain of asa

route add mask

basically my solution lets the server respond to another IP that you control the response side, etc. and its presented via source nat of the inbound traffic.


New Member

Re: Strange requirement of NO-NAT - NAT (0)

Hi Joe,

Thanks for you feedback. I am attaching here the diagram from Microsoft. we are actually using accessedge , webconference and a/v edge servers to publish OCS on internet. Here we have the servers having two ethernet interfaces. In our case we are considering only DMZ and Outside ( left side firewall ). Second ethernet card of server is directly connected to inside switch. In our case A/V server ( audio- video -server) needs to have one card to have a publically routeable static IP address. ( in our case same subnet as that of outside interface ). So how do we connect the server as it wont find the return path. If the packet undergoes Nat travelsal audio and vidio session is not getting established.

What I understood from what you have suggested is the following.

let us assume : Public address is

Then i will do static


This will do the destination NAT in our case no nat , destination IP address will not be changed. Now with access-list,nat and global we will do source NAT

access-list 101 permit ip any host

( marks all packets with destination IP as then we do nat and global

nat (outside) 10 access-list 101 outside

global (dmz) 10

That means packet that will hit the server will have the same dest. IP address ( but will have source ip address as

And server will send the packet in return to with default gateway as the dmz inteface.

(This is what I feel will take place. Destination IP will remain same and source IP will change to

Please correct me if I am wrong.

Please check the document and suggest.

Thanks in advance


New Member

Re: Strange requirement of NO-NAT - NAT (0)


We're implementing this also and seems like we have the same issue. I'm wondering if you got yours to work. Worse case for us is to put that public nic behind a server and ACL it instead behind our ASA...


New Member

Re: Strange requirement of NO-NAT - NAT (0)


We are currently struck up with the same problem. We have analysed the logs using the protocol analyser. What is happening is user on the internet get the private ip address of second user and thus voice call is not getting through. Till now I have not understood how this thing works. Microsoft documents states all the servers behind firewall and also should have publically routeable address. ( funny is'nt it). One answer was conncet the server directly to outside world. ( that is more funny) We have registered a case with microsoft and updates are expected by monday ( Sept,29,2008 indian time and date , Microsoft does not work on week ends !! ). Once i have updates I will post it here of shall I mail you at your mail address.