https://community.cisco.com/t5/network-security/basic-question-about-nat-dmz/m-p/2896188#M153583 <P>Hi,</P> <P>If I have two web servers (say 10.1.1.1:80 &amp; 10.1.1.2:81) in a DMZ, is it sufficient enough to add a static NAT or PAT only and the servers will be reachable from outside on those ports?<BR />Or do you need an outgoing dynamic nat in order for those servers to reply outbound?</P> Tue, 12 Mar 2019 07:47:36 GMT louis0001 2019-03-12T07:47:36Z https://community.cisco.com/t5/network-security/basic-question-about-nat-dmz/m-p/2896188#M153583 <P>Hi,</P> <P>If I have two web servers (say 10.1.1.1:80 &amp; 10.1.1.2:81) in a DMZ, is it sufficient enough to add a static NAT or PAT only and the servers will be reachable from outside on those ports?<BR />Or do you need an outgoing dynamic nat in order for those servers to reply outbound?</P> Tue, 12 Mar 2019 07:47:36 GMT https://community.cisco.com/t5/network-security/basic-question-about-nat-dmz/m-p/2896188#M153583 louis0001 2019-03-12T07:47:36Z https://community.cisco.com/t5/network-security/basic-question-about-nat-dmz/m-p/2896189#M153584 <P>Hi there,</P> <P></P> <P>It is sufficient to use a static NAT entry for this because the ASA is stateful and will build a connection which allows the traffic to communicate both ways. If you go from outside to inside and use the unidirectional keyword, then the traffic can only be initiated from the outside.</P> <P></P> <P>You can learn more of how to configure this scenario here: <A href="http://www.internetworkingcareer.com/firewall/configure-nat-asa-firewall/">http://www.internetworkingcareer.com/firewall/configure-nat-asa-firewall/</A></P> <P></P> <P>Regards,</P> <P></P> <P>Tim</P> Tue, 24 May 2016 20:13:10 GMT https://community.cisco.com/t5/network-security/basic-question-about-nat-dmz/m-p/2896189#M153584 Tim Y 2016-05-24T20:13:10Z