04-14-2014 07:13 PM - edited 03-11-2019 09:04 PM
I have Cisco ASA 5500 8.4, with NAT configured from inside interface to DMZ to be dynamic translation of Interface on DMZ.
So, any traffic sourced from inside, going to DMZ, looks as if sourced from DMZ interface:
object network obj-10.0.0.0
nat (inside,DMZ) dynamic interface
inside (10.0.0.0)---DMZ (172.16.0.0)
If I have a device in the DMZ that I need to send traffic back to a device on the inside, do I need a static NAT for this?
I remember seeing that in version 8.3 and later, you do not need to NAT across the interfaces.
For example, If I want a device in DMZ to get to 10.10.10.10
Do I need a NAT like the below?
object network Server
nat (inside,DMZ) static 10.10.10.10
04-15-2014 01:24 AM
Hi, if you are saying that a device in DMZ needs to send traffic back, I assume that the traffic is originated from a device located in the inside network. If this is the case, you don't need to define a static NAT as the ASA will still have the traffic translation originating from inside network.
Let's see another example, if your inside host try to have access to internet, normally you would configure just PAT on the outside interface and they will have internet access. You don't need to define a static NAT to allow traffic back to that inside host.
Typically when you need to have static NAT is when you want people outside your inside network to access resources in your inside network. This is because the traffic will be originated from outside/DMZ network, not from inside.
04-15-2014 02:02 AM
when you do static object NAT then it will take precedence over your dynamic interface NAT. Server in inside and device in DMZ will see each other real IP address instead of ASA Dmz interface IP address when you ping from yr inside server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide