https://community.cisco.com/t5/network-security/asa-nat-configuration/m-p/4388473#M1080080 <P>Ok so this is one of those where I had to put it on paper to understand it myself.&nbsp; I think I've figured this out (Duh!!).&nbsp; Packet comes into ASA, ASA performs a route lookup, and then forwards it out the DMZ interface.&nbsp; No NAT needed.&nbsp; NAT (dynamic PAT) is needed between inside and outside so the internal hosts can use the single IP address of the OUTSIDE interface!&nbsp;&nbsp;</P><P>Yeah!!!....its one of those days and I'm only on my second cup of coffee.&nbsp;</P><P>&nbsp;</P> Fri, 16 Apr 2021 15:34:30 GMT Ricky Sandhu 2021-04-16T15:34:30Z https://community.cisco.com/t5/network-security/asa-nat-configuration/m-p/4388467#M1080079 <P>Hi all,&nbsp; I have an ASA 5525x with PC-A on the INSIDE network with IP address 10.20.32.40.&nbsp; PC-B is in DMZ with an IP address of 10.20.30.10.&nbsp; The security level for INSIDE is 100 and DMZ is 50. I have rules to allow PC-A to communicate with PC-B over TCP3389. I don't have any NAT configurations specified (at the moment) for translating packets from INSIDE to DMZ. When I run Wireshark capture on PC-B, I can see the IP address of PC-A communicating with it.&nbsp; My question, how is this possible when I don't have NAT configured between the two networks. My understanding of the way ASAs work, you must have NAT configured between two separate networks in order for the traffic to flow, for example from Inside to Outside.</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="asa.jpg" style="width: 678px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/118262i2377E6B82243809E/image-size/large?v=v2&amp;px=999" role="button" title="asa.jpg" alt="asa.jpg" /></span></P> Fri, 16 Apr 2021 15:30:06 GMT https://community.cisco.com/t5/network-security/asa-nat-configuration/m-p/4388467#M1080079 Ricky Sandhu 2021-04-16T15:30:06Z https://community.cisco.com/t5/network-security/asa-nat-configuration/m-p/4388473#M1080080 <P>Ok so this is one of those where I had to put it on paper to understand it myself.&nbsp; I think I've figured this out (Duh!!).&nbsp; Packet comes into ASA, ASA performs a route lookup, and then forwards it out the DMZ interface.&nbsp; No NAT needed.&nbsp; NAT (dynamic PAT) is needed between inside and outside so the internal hosts can use the single IP address of the OUTSIDE interface!&nbsp;&nbsp;</P><P>Yeah!!!....its one of those days and I'm only on my second cup of coffee.&nbsp;</P><P>&nbsp;</P> Fri, 16 Apr 2021 15:34:30 GMT https://community.cisco.com/t5/network-security/asa-nat-configuration/m-p/4388473#M1080080 Ricky Sandhu 2021-04-16T15:34:30Z https://community.cisco.com/t5/network-security/asa-nat-configuration/m-p/4388476#M1080081 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/149208">@Ricky Sandhu</a>&nbsp;</P> <P>You don't need NAT, without a matching nat rule, traffic would be routed.</P> <P>You'd normally need nat for outbound internet access, translating the private IP address to the public (routeable) IP address.</P> <P>&nbsp;</P> <P>HTH</P> Fri, 16 Apr 2021 15:36:52 GMT https://community.cisco.com/t5/network-security/asa-nat-configuration/m-p/4388476#M1080081 Rob Ingram 2021-04-16T15:36:52Z https://community.cisco.com/t5/network-security/asa-nat-configuration/m-p/4388487#M1080082 <P>Thank you for confirming.&nbsp;</P><P>Cheers!</P> Fri, 16 Apr 2021 15:46:40 GMT https://community.cisco.com/t5/network-security/asa-nat-configuration/m-p/4388487#M1080082 Ricky Sandhu 2021-04-16T15:46:40Z https://community.cisco.com/t5/network-security/asa-nat-configuration/m-p/4388490#M1080083 In order to have access from lower security level ( DMZ 50 ) to higher<BR />security level ( INSIDE 100 ) you should configure ACL rule and allow TCP<BR />338 source PC B to destination PC A. NAT has nothing to do in this<BR />scenario. the rules you have configure form INSIDE to DMZ are no longer<BR />needed since ASA is stateful firewall and keep the connection table for all<BR />traffic coming from Higher security level and allow the return traffic<BR />then.<BR /> Fri, 16 Apr 2021 15:48:08 GMT https://community.cisco.com/t5/network-security/asa-nat-configuration/m-p/4388490#M1080083 Mike_83 2021-04-16T15:48:08Z