Why is it that even though I have Nat 0 implemented on a high security interface and a low interface (ex. inside and dmz), I still need to have static statments to allow traffic to flow from dmz to inside?
NAT 0 served only for outbound traffic (High to low sec i/f). If you want your host(s) within the DMZ to start session to inside host(s), then you need to use static/access-list/access-group commands to do so.
Why is it like that? Because it's a firewall who must manage multiple needs, example want to permit inside users to access DMZ's servers but not those servers access inside networks, for seucrity reason.
As mentioned by the earlier post, "nat 0 acl" option will turn off NAT engine on the pix for the traffic deffined in acl, whether connection is initiated from inside to dmz or dmz to inside. In that case, you will not need static. But, "with nat 0 network", you only turn off net engine on pix for the network from inside to dmz. In that case, you need a static for dmz to inside traffic.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...