https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087513#M393839 <P>Recently upgraded to an Asa 5512x from a pix 515e. I have an Ipswitch secure MoveIT server on the dmz1 interface that needs to be accessed from both the inside and outside interfaces. I have setup a static nat from the outside to the dmz1 and it works, I can also connect from the inside interface. Now I need the MoveIT server to access the DNS server and email server on the inside interface so it can send notifications. On the pix I just created a static from the inside to the dmz1 using its own IP address - static (inside,dmz1) 192.168.1.7 192.168.1.7 net mask 255.255.255.255. I would then add the access-list to allow. How would I set this up with the Asa 8.6 commands?<BR /><BR />Sent from Cisco Technical Support iPad App</P> Tue, 12 Mar 2019 00:40:00 GMT dkemptonmcs 2019-03-12T00:40:00Z https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087513#M393839 <P>Recently upgraded to an Asa 5512x from a pix 515e. I have an Ipswitch secure MoveIT server on the dmz1 interface that needs to be accessed from both the inside and outside interfaces. I have setup a static nat from the outside to the dmz1 and it works, I can also connect from the inside interface. Now I need the MoveIT server to access the DNS server and email server on the inside interface so it can send notifications. On the pix I just created a static from the inside to the dmz1 using its own IP address - static (inside,dmz1) 192.168.1.7 192.168.1.7 net mask 255.255.255.255. I would then add the access-list to allow. How would I set this up with the Asa 8.6 commands?<BR /><BR />Sent from Cisco Technical Support iPad App</P> Tue, 12 Mar 2019 00:40:00 GMT https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087513#M393839 dkemptonmcs 2019-03-12T00:40:00Z https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087514#M393840 <HTML><HEAD></HEAD><BODY><P>Hello Donald,</P><P></P><P>If you want to have identity nat you can use the following syntax:</P><P></P><P>nat (inside,dmz1) source static obj-192.168.1.7 obj-192.168.1.7 destinatination static obj-remote-net obj-remote-net</P><P></P><P>Best Regards,</P><P>Eugene</P></BODY></HTML> Fri, 21 Dec 2012 23:29:22 GMT https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087514#M393840 Eugene Korneychuk 2012-12-21T23:29:22Z https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087515#M393841 <HTML><HEAD></HEAD><BODY><P>It's a common mistake to forget adding 'route-lookup' and 'no-proxy-arp'&nbsp; to such identity NAT statements. From 8.4 you can experience strange errors if you don't use them.</P></BODY></HTML> Sat, 22 Dec 2012 14:12:48 GMT https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087515#M393841 Peter Koltl 2012-12-22T14:12:48Z https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087516#M393842 <HTML><HEAD></HEAD><BODY><P>Just to make sure, this wouldn't interfere with another static nat I have coming in from the outside to the same internal IP address of 192.168.1.7? It looks like your using twice nat correct?<BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sat, 22 Dec 2012 15:09:10 GMT https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087516#M393842 dkemptonmcs 2012-12-22T15:09:10Z https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087517#M393843 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The default operation of the new ASAs/Softwares is that you dont configure NAT if you dont need one.</P><P></P><P>So if you for example have the following interfaces</P><P></P><UL><LI>outside</LI><LI>lan1</LI><LI>lan2</LI><LI>dmz</LI></UL><P></P><P>If you want the lan1, lan2 and dmz to communicate between eachother with the actual IP addresses, you dont configure any type of NAT between them (even the ones that you used to do with the old software with the "static" commands)</P><P></P><P>Only situations where I have configured Twice NAT is when I have configured a L2L VPN or there is migrated some old 8.2 or below software Policy NAT.</P><P></P><P>So to my understanding you would probably have a new type of Static NAT for the dmz1 server towards outside</P><P></P><P><STRONG>object network DMZ-STATIC</STRONG></P><P><STRONG> host 192.168.1.7</STRONG></P><P><STRONG> nat (dmz1,outside) static x.x.x.x dns</STRONG></P><P></P><P>For the same server to communicate with other networks behind the firewall (LAN networks) you shouldnt really need any addiotional NAT configurations. Only have the access-rules permit the traffic if it already doesnt do so.</P><P></P><P>You can always post some configurations if you want someone to take a look through them.</P><P></P><P>- Jouni</P></BODY></HTML> Sat, 22 Dec 2012 17:34:44 GMT https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087517#M393843 Jouni Forss 2012-12-22T17:34:44Z https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087518#M393844 <HTML><HEAD></HEAD><BODY><P>Correct, works great. A lot easier to use the new Asa. Just need to learn the syntax. Thank you.<BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sun, 23 Dec 2012 13:47:45 GMT https://community.cisco.com/t5/network-security/static-translation-from-dmz-to-inside-on-asa-8-6/m-p/2087518#M393844 dkemptonmcs 2012-12-23T13:47:45Z