https://community.cisco.com/t5/network-security/asa-security-level-effect-on-nat/m-p/1546699#M606408 <HTML><HEAD></HEAD><BODY><P>Thanks Jennnifer, you're right on the money (I actually found this out via a URL you had pr</P><P>ovided in an earlier post of mine - thanks heaps)</P><P></P><P>Cheers</P><P>Scott</P></BODY></HTML> Mon, 22 Nov 2010 08:58:57 GMT Scott Cannon 2010-11-22T08:58:57Z https://community.cisco.com/t5/network-security/asa-security-level-effect-on-nat/m-p/1546697#M606400 <P>Hi Guys,</P><P></P><P>I have an ASA configured with 2 interfaces called DMZa and DMZb. DMZa has Security Level 20 and DMZb has security level 15.</P><P></P><P>NAT exemption is configured as follows:</P><P>nat (DMZa) 1.0.0.0 255.0.0.0</P><P>nat (DMZb) 0 0.0.0.0 0.0.0.0</P><P></P><P>Even though an ACE exists permitting access I find I that I am unable to connect to server 1.1.1.1 from DMZb (say client IP is 2.2.2.2) unless I define a static nat rule for the server 1.1.1.1.</P><P></P><P>As soon as I put the rule static (DMZa,DMZb) 1.1.1.1 1.1.1.1 into the ASA everything works fine</P><P></P><P>Can someone explain this to me? Shouldnt nat exmpetion be in place given the exemptions rules I put in. And if so, why do I then need to create a static nat rule to get this working?</P><P></P><P>Thanks in advance</P><P>Rgds</P><P>Scott</P> Mon, 11 Mar 2019 19:11:32 GMT https://community.cisco.com/t5/network-security/asa-security-level-effect-on-nat/m-p/1546697#M606400 Scott Cannon 2019-03-11T19:11:32Z https://community.cisco.com/t5/network-security/asa-security-level-effect-on-nat/m-p/1546698#M606403 <HTML><HEAD></HEAD><BODY><P>Yes, going from low security level to higher security level, you would need either static NAT statement or NAT exemption.</P><P></P><P>NAT exemption is NAT 0 with ACL, eg: <STRONG>nat (DMZb) 0 access-list <ACL-NAME></ACL-NAME></STRONG></P><P></P><P>Your configuration: "nat (DMZb) 0 0.0.0.0 0.0.0.0" falls under the dynamic NAT order of operation which is the least priority.</P><P></P><P>Hope that makes sense.</P></BODY></HTML> Fri, 19 Nov 2010 00:49:13 GMT https://community.cisco.com/t5/network-security/asa-security-level-effect-on-nat/m-p/1546698#M606403 Jennifer Halim 2010-11-19T00:49:13Z https://community.cisco.com/t5/network-security/asa-security-level-effect-on-nat/m-p/1546699#M606408 <HTML><HEAD></HEAD><BODY><P>Thanks Jennnifer, you're right on the money (I actually found this out via a URL you had pr</P><P>ovided in an earlier post of mine - thanks heaps)</P><P></P><P>Cheers</P><P>Scott</P></BODY></HTML> Mon, 22 Nov 2010 08:58:57 GMT https://community.cisco.com/t5/network-security/asa-security-level-effect-on-nat/m-p/1546699#M606408 Scott Cannon 2010-11-22T08:58:57Z