Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA nat rules

Hello,

An ASA with inside, outside, DMZ1 and DMZ2 interfaces.(only DMZ are important here)

- DMZ1 have 172.16.1.0/24 , security-level 40

- DMZ2 have 172.20.3.0/24 , security-level 75 and a web server at 172.20.3.8

If I want to let the users from DMZ1 to access the web server from DMZ2, do I need a NAT with real addresses 172.16.1.0/24 and translated addresses 172.20.3.0/24 ?

thank u!

thank u!

6 REPLIES

Re: ASA nat rules

You can NAT with the real addresses. Here's an example-

static (dmz,dmz2) 172.20.3.0 172.20.3.0 netmask 255.255.255.0

Hope that helps.

Community Member

Re: ASA nat rules

is this absolutely necesary to NAT ?

If I don't configure NAT, I will not be able to access the web server ?

Re: ASA nat rules

NAT is necessary because you're going from a lower security level interface to a higher one. If you don't configure NAT, you will have no connections and you will receive some logs that state "no translation group found".

Cisco Employee

Re: ASA nat rules

The only case where you could do away with no nat is if you enable "no nat-conrtrol" and the ASA has routes to the ip addresses and the ACL on the outside interface is open.

PK

Community Member

Re: ASA nat rules

I am sorry to ask again. But it is not clear to me :)

I know that if you are going from a lower security level to a higher security level , u need an access-list that explicitly permit that traffic and not a NAT translation. So my question is: U need both an access-list and a NAT ?

Re: ASA nat rules

Yes.

726
Views
5
Helpful
6
Replies
CreatePlease to create content