Re: ASA Interface to Interface

Skawilly1 · ‎09-13-2018

I have an ASA 5512 with 9.2 as its image.

I am wondering, even from just interface to interface, are these NAT'd?

I have my Inside interface LAN of 172.16.0.0/16 on port 1, Security Level of 100 and my DMZ interface LAN 10.10.10.0 /24 on port 2, Security Level of 50. is port 1 NAT'd to and from port 2?

EDIT: If they are indeed NAT'd to each other, what is the way around this? How could I see this in what troubleshooting/diagnostics tool?

Ajay Saini · ‎09-13-2018

Hello,

Do you wish to know if the NAT is configured for access between inside and dmz interface?

If yes, then you can run some commands to see what NAT is being used for communication. FYI, since 8.3 onwards, NAT-control feature has been taken off, which means that hosts behind any 2 interfaces can communicate with each other even without NAT provided access rules are configured properly.

show run nat

packet-tracer command is one feature where you can see all the process flow the ASA will follow for processing the packet including the NAT:

https://community.cisco.com/t5/security-documents/troubleshooting-access-problems-using-packet-tracer/ta-p/3114976

Hope it answered your query.

-

HTH

AJ

gbekmezi-DD · ‎09-14-2018

Also, security levels only matter if you don’t have an access-list assigned to the interface.

mkazam001 · ‎11-03-2018

to add to this - sh nat would show the order of nat rules and you could ping from lan to dmz & do sh xlate on the asa - to see if source address is translated.

hope that helps

azam