cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


280
Views
5
Helpful
3
Replies
Beginner

what xlate for low to high sec interfaces in 9.2?

have an ASA I recently upgraded from old code to newer 9.2

 

In the old code I would add the following static...

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

This would allow hosts in the dmz (with appropriate accompanying acls) to reach things on the inside network (192.168.100.0).

 

What do I need to do in 9.2 where the static is deprecated?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: what xlate for low to high sec interfaces in 9.2?

This is what i thought. User my last config:

object network DMZ

subnet 192.168.101.0 255.255.255.0

object network LAN
subnet 192.168.100.0 255.255.255.0

nat (inside,dmz) source static LAN LAN destination static DMZ DMZ


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
3 REPLIES 3
VIP Advisor

Re: what xlate for low to high sec interfaces in 9.2?

Hi

 

here you're trying to nat 192.168.100.0/24 from DMZ to 192.168.100.0/24 to inside.

I guess you wanted to do nat exemption, right?

 

To convert your exact statement, it will be:

object network OBJ-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network OBJ-192.168.100.0
subnet 192.168.100.0 255.255.255.0
nat (inside,dmz) source static OBJ-192.168.100.0 OBJ-192.168.100.0

 

However, if you don't want to nat DMZ when communication going to inside and invert, you'll need to configure it in that way (let's assume your DMZ has subnet 192.168.101.0/24

object network DMZ

 subnet 192.168.101.0 255.255.255.0

object network LAN
subnet 192.168.100.0 255.255.255.0

nat (inside,dmz) source static LAN LAN destination static DMZ DMZ

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Re: what xlate for low to high sec interfaces in 9.2?

Thanks for the response, I believe you have answered my question but I am just not 100% clear on the difference in your two scenarios.

 

I do not plan on actually translating any addresses when inside talks to DMZ or DMZ talks to inside....

 

At the moment, I only have a need for a DMZ server to talk to a server on the inside....but in the future I might need hosts on the inside, to be able to talk to the server in the DMZ.  In any case, I do not expect any translations to occur.  So which of your two scenarios should I use?

 

Thanks,

 

Highlighted
VIP Advisor

Re: what xlate for low to high sec interfaces in 9.2?

This is what i thought. User my last config:

object network DMZ

subnet 192.168.101.0 255.255.255.0

object network LAN
subnet 192.168.100.0 255.255.255.0

nat (inside,dmz) source static LAN LAN destination static DMZ DMZ


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question