Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1911
Views
0
Helpful
4
Replies

ASA 8.3 Inside to DMZ communication

Go to solution
Joshua Engels
Level 1
Level 1

‎07-23-2010 07:00 AM - edited ‎03-11-2019 11:15 AM

Hi guys,

I am working on deploying an ASA 5520 with 8.3.  The issue I am having is pretty simple.  What is the best way for me to allow traffic to communicate between my Inside network and my DMZ in regards to NAT.

Please keep in mind that 8.3 changes things with NAT commands.

Thanks for your help

Josh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
August Ritchie
Level 1
Level 1
In response to Joshua Engels

‎07-23-2010 08:29 AM

By default, ASA 8.3 does not enforce nat-control (the command in 8.2 and lower that forced a nat translation to be required in order for the connection to be successful)

If you had nat-control enabled before you migrated, then you will have a nat-control equivalent configuration. You can see the configuration that it makes here.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

So in theory, if your ASA is setup correctly, you shouldn't need a nat statement.

However, if you are having issues, I suggest identity nat, its easy to configure and often solves most issues.

Below is an example where I translate 192.168.1.0 to 192.168.1.0 when it goes to the dmz

obj network insideNetwork

  subnet subnet 192.168.1.0 255.255.255.0

object network insideDmz

  subnet 192.168.1.0 255.255.255.0

  nat (inside,dmz) static insideNetwork

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-23-2010 07:36 AM

Hello,

As long as you do not have any NAT requirements when you are going to DMZ,

you can use identity NAT which will enable bidirectional communication.

Object network

Nat (inside,dmz) static name1

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_o

bjects.html#wp1108647

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
Joshua Engels
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-23-2010 08:12 AM

Just noticed something....correct me if I am wrong.

Do I even need a NAT setup to ping from an inside address to a dmz address?

Example:

Host 10.10.10.5 on the inside network can pinging host 192.168.1.5 on the dmz network.

Is this possible without ever setting up any type of identity nat or nat 0?

0 Helpful

Go to solution
August Ritchie
Level 1
Level 1
In response to Joshua Engels

‎07-23-2010 08:29 AM

By default, ASA 8.3 does not enforce nat-control (the command in 8.2 and lower that forced a nat translation to be required in order for the connection to be successful)

If you had nat-control enabled before you migrated, then you will have a nat-control equivalent configuration. You can see the configuration that it makes here.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60212

So in theory, if your ASA is setup correctly, you shouldn't need a nat statement.

However, if you are having issues, I suggest identity nat, its easy to configure and often solves most issues.

Below is an example where I translate 192.168.1.0 to 192.168.1.0 when it goes to the dmz

obj network insideNetwork

  subnet subnet 192.168.1.0 255.255.255.0

object network insideDmz

  subnet 192.168.1.0 255.255.255.0

  nat (inside,dmz) static insideNetwork

0 Helpful

Go to solution
Joshua Engels
Level 1
Level 1
In response to Joshua Engels

‎07-23-2010 08:32 AM

Thanks, that answers my question.  I am not migrating so everything is working without nat-control.  I was just confused that no identity nat had been setup and i was still able to communicate successfully.  I believe that answers my question.

Thanks,
Josh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card