https://community.cisco.com/t5/network-security/nat-configuration-cleanup-help/m-p/2785194#M173348 <P>Thanks! This helped lead me to the right direction of what I needed to find.</P> Thu, 28 Jan 2016 20:54:02 GMT tbthurman 2016-01-28T20:54:02Z https://community.cisco.com/t5/network-security/nat-configuration-cleanup-help/m-p/2785192#M173346 <P>I am attempting to cleanup some of the NAT configurations on our ASA before we upgrade from 8.2.5 to 8.3+. I had a question regarding the global nat configurations.</P> <P>I understand of the purpose of most the statements below, but I don't understand the <STRONG>global (INSIDE) 10 interface.&nbsp;</STRONG> I also don't like the <STRONG>global (DMZ) 10 interface</STRONG> with the <STRONG>nat (INSIDE) 10 0.0.0.0 0.0.0.0</STRONG> command. It causes the logs on the DMZ servers to only show the DMZ interface IP instead of the actual host IP.&nbsp; Can anyone think of a reason why they would be there?</P> <P></P> <P>global (OUTSIDE) 15 <EM>external-IP1</EM></P> <P>global (OUTSIDE) 10 <EM>external-IP2</EM></P> <P>global (OUTSIDE) 20 interface</P> <P>global (INSIDE) 10 interface</P> <P>global (DMZ) 10 interface</P> <P></P> <P>nat (OUTSIDE) 0 access-list NONAT-OUTSIDE</P> <P>nat (OUTSIDE) 20 192.168.x.x 255.255.255.0</P> <P>nat (INSIDE) 0 access-l NONAT</P> <P>nat (INSIDE) 10 0.0.0.0 0.0.0.0</P> <P>nat (DMZ) 0 access-l NONAT</P> <P>nat (DMZ) 15 0.0.0.0 0.0.0.0</P> Tue, 12 Mar 2019 07:08:36 GMT https://community.cisco.com/t5/network-security/nat-configuration-cleanup-help/m-p/2785192#M173346 tbthurman 2019-03-12T07:08:36Z https://community.cisco.com/t5/network-security/nat-configuration-cleanup-help/m-p/2785193#M173347 <P>Hi,</P> <P>For Global(inside) 10 and nat(inside) 10, it looks like the U Turning has been performed where the anything coming from inside hosts get natted to the inside interface ip.</P> <P>This kind of configuration is used to prevent Asymetric routing as well where the SYN goes through ASA however SYN-ACK goes directly to client without passing through ASA. Therefore for return traffic to go through ASA, source ip is natted to Interface ip so that the reply packet first goes to the interface and then ASA performs Untranslation and sends the traffic back to actual source.</P> <P></P> <P>Regarding global (DMZ) 10 and nat (inside) 10, it could be possible that you might not want your DMZ hosts to see the actual source ip from Inside. Also you can check if 'nat-control' is enabled. If yes, then you need to have NAT configured on ASA for communication between interface. That could be also be the reason why this nat was kept.</P> <P></P> <P>Hope it helps you finding the main reason.</P> <P>Regards,</P> <P>Akshay Rastogi</P> <P>Remember to rate helpful posts.</P> Thu, 14 Jan 2016 16:45:47 GMT https://community.cisco.com/t5/network-security/nat-configuration-cleanup-help/m-p/2785193#M173347 Akshay Rastogi 2016-01-14T16:45:47Z https://community.cisco.com/t5/network-security/nat-configuration-cleanup-help/m-p/2785194#M173348 <P>Thanks! This helped lead me to the right direction of what I needed to find.</P> Thu, 28 Jan 2016 20:54:02 GMT https://community.cisco.com/t5/network-security/nat-configuration-cleanup-help/m-p/2785194#M173348 tbthurman 2016-01-28T20:54:02Z