topic Re: ASA - NAT question in Network Security

ASA - NAT question

babalao — Fri, 12 Sep 2025 18:35:10 GMT

Hello ,

a doubt about Manual NAT, if I have to configure static PAT, so I allow connection into my web server on dmz from outside for example.

I would have configured this:

nat (dmz,outside) source static PRIV-IP PUB-IP service TCP443 TCP443

but In one ASA that I now have to manage, I found this:

nat (outside,dmz) source static any any destination static PUB-IP PRIV-IP service TCP443 TCP443

Both are ok? Any disadvange from one to another?

Thank you.

Re: ASA - NAT question

MHM Cisco World — Fri, 12 Sep 2025 18:40:53 GMT

NO advantage

Both same

Static NAT is bidirectional' so it work from (DMZ to outside) or from (Outside to DMZ).

I prefer using DMZ to outside' because it easy for troubleshooting.

And again you can use any of it.

MHM

Re: ASA - NAT question

MHM Cisco World — Fri, 12 Sep 2025 18:51:04 GMT

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

Check cisco recommends

MHM

Re: ASA - NAT question

balaji.bandi — Sat, 13 Sep 2025 10:47:20 GMT

nat (dmz,outside) source static PRIV-IP PUB-IP service TCP443 TCP443

this should be good enough along if you have dedicated IP with ACL policies to allow traffic.

Re: ASA - NAT question

Aref Alsouqi — Sun, 14 Sep 2025 11:27:02 GMT

Although both are ok, the first PAT rule is more common. The use case of the second PAT rule would be when you want a host on the outside to be translated to something belonging to the DMZ segment. For instance, let's say you want the traffic coming from outside host 1.1.1.1 destined to DMZ host 172.16.0.1 on port 443/tcp to appear as if it's coming from 172.16.0.20, then in that case you use the second PAT rule. We call that outside NAT. In that case the rule would look similar to this:

object network PUB-1.1.1.1
host 1.1.1.1
object network PRIV-1.1.1.1
host 172.16.0.20

nat (outside,dmz) source static PUB-1.1.1.1 PRIV-1.1.1.1 destination static PUB-IP PRIV-IP service TCP443 TCP443

In terms of pros and cons, I would say the only con I can see with the second PAT rule is that the firewall would be using more resources to evaluate something that will never be translated which is the source any any of the hosts on the outside, so there is no point to configure the rule in that way in the first place and it's better to stick with the common configuration of the first rule.