https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318670#M417644 <HTML><HEAD></HEAD><BODY><P>NAT is necessary because you're going from a lower security level interface to a higher one. If you don't configure NAT, you will have no connections and you will receive some logs that state "no translation group found".</P><P></P></BODY></HTML> Mon, 16 Nov 2009 15:02:09 GMT Collin Clark 2009-11-16T15:02:09Z https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318667#M417639 <P>Hello,</P><P></P><P>An ASA with inside, outside, DMZ1 and DMZ2 interfaces.(only DMZ are important here) </P><P>- DMZ1 have 172.16.1.0/24 , security-level 40</P><P>- DMZ2 have 172.20.3.0/24 , security-level 75 and a web server at 172.20.3.8</P><P></P><P>If I want to let the users from DMZ1 to access the web server from DMZ2, do I need a NAT with real addresses 172.16.1.0/24 and translated addresses 172.20.3.0/24 ?</P><P>thank u!</P><P></P><P>thank u!</P> Fri, 21 Feb 2020 11:47:58 GMT https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318667#M417639 Spinu Viorel 2020-02-21T11:47:58Z https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318668#M417641 <HTML><HEAD></HEAD><BODY><P>You can NAT with the real addresses. Here's an example-</P><P></P><P>static (dmz,dmz2) 172.20.3.0 172.20.3.0 netmask 255.255.255.0</P><P></P><P>Hope that helps.</P></BODY></HTML> Mon, 16 Nov 2009 14:33:53 GMT https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318668#M417641 Collin Clark 2009-11-16T14:33:53Z https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318669#M417643 <HTML><HEAD></HEAD><BODY><P>is this absolutely necesary to NAT ?</P><P>If I don't configure NAT, I will not be able to access the web server ?</P></BODY></HTML> Mon, 16 Nov 2009 14:57:25 GMT https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318669#M417643 Spinu Viorel 2009-11-16T14:57:25Z https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318670#M417644 <HTML><HEAD></HEAD><BODY><P>NAT is necessary because you're going from a lower security level interface to a higher one. If you don't configure NAT, you will have no connections and you will receive some logs that state "no translation group found".</P><P></P></BODY></HTML> Mon, 16 Nov 2009 15:02:09 GMT https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318670#M417644 Collin Clark 2009-11-16T15:02:09Z https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318671#M417645 <HTML><HEAD></HEAD><BODY><P>The only case where you could do away with no nat is if you enable "no nat-conrtrol" and the ASA has routes to the ip addresses and the ACL on the outside interface is open.</P><P></P><P>PK</P></BODY></HTML> Mon, 16 Nov 2009 19:04:13 GMT https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318671#M417645 Panos Kampanakis 2009-11-16T19:04:13Z https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318672#M417646 <HTML><HEAD></HEAD><BODY><P>I am sorry to ask again. But it is not clear to me <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>I know that if you are going from a lower security level to a higher security level , u need an access-list that explicitly permit that traffic and not a NAT translation. So my question is: U need both an access-list and a NAT ?</P><P></P><P></P></BODY></HTML> Tue, 17 Nov 2009 09:17:48 GMT https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318672#M417646 Spinu Viorel 2009-11-17T09:17:48Z https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318673#M417647 <HTML><HEAD></HEAD><BODY><P>Yes.</P></BODY></HTML> Tue, 17 Nov 2009 14:16:21 GMT https://community.cisco.com/t5/network-security/asa-nat-rules/m-p/1318673#M417647 Collin Clark 2009-11-17T14:16:21Z