Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAT behavior in ASA 8.4 versus 9.0

I have this configuration:

int g0
  ip address
  nameif inside
  security-level 100
int g1
  ip address
  nameif outside
  security-level 0
int g2
  ip address
  nameif DMZ
  security-level 50

route outside

object network REAL

object network MAPPED

nat (inside,DMZ) source static any any destination static MAPPED REAL unidirectional

------------------ is a server in the DMZ. Its public IP address to the internet is  I want to be able to reach the server from the inside interface using its REAL and MAPPED ip addresses. Furthermore, I want to be able to reach hosts on the inside network from that server using the server's real IP address. So, I only want it NATted when the inside host is trying to communicate with the server using its public IP.

In ASA 8.4.2, I was able to use the nat statement above and got the behavior I wanted. The ASA would know that the destination interface is "DMZ", NAT the traffic, and send it directly to the server.

In ASA 9.1.2, this doesn't work. The ASA wants to use the default route which tells it that the outgoing interface should be 'outside'. I had to do nat (inside,outside) . But the problem with this is that now, the ASA is NATing it, sending it to the next hop on the outside who sends it back to the ASA. The ASA delivers it and it appears to work.  

In my ASA 9.1.4 box, it also doesn't work. Also, it doesn't allow hosts on the inside to access the DMZ server using its real IP address anymore.


Does anyone have any insight regarding how to get ASA 9.1.2 to work like ASA 8.4? 



As far as I am aware, there

As far as I am aware, there were no major NAT changes from 8.4 to 9.x, or at least I haven't seen them in the release notes. Have you tried opening a TAC case?

When you say that it's forcing you to use nat(inside,outside), how is it forcing that? I had a similar, but bidirectional, setup on a 9.14 ASA without any issues.

What's the requirement driving the need to access the server via both it's real and mapped IP?



Community Member

I have not opened a case yet.

I have not opened a case yet. I will tomorrow.


I meant the situation is forcing me to use nat(inside,outside) because nat(inside,DMZ) syntax is not working as expected.


We have another subnet behind the inside interface where the hosts are using a DNS server on the internet.  Therefore, the IP address for the server resolves to its external IP.

CreatePlease to create content