Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
0
Helpful
5
Replies

ASA NAT question

dlance
Level 1
Level 1

‎02-23-2011 12:02 PM - edited ‎03-11-2019 12:55 PM

We have a somewhat standard 3 interface dmz setup

inside---dmz---outside

we nat from inside to dmz for normal access of servers on dmz (with access rules)

we have one web server on dmz we dont want to nat to reach from inside

we would like to have 1 fixed ip address on inside network that always reaches this server as one fixed ip on the dmz

we do have some static rules for other servers to access on the inside from the dmz but I cant get a static to work for this server

Labels:
0 Helpful
5 Replies 5

mirober2
Cisco Employee
Cisco Employee

‎02-23-2011 12:17 PM

Hello,

Here is the config guide for NAT exemption:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html

If you can share a copy of your sanitized running-config (specifically 'show run nat', 'show run global', 'show run static', and 'show run nat-control'), and the IP of the server you're having trouble with, we can give you a more specific solution.

-Mike

0 Helpful

dlance
Level 1
Level 1
In response to mirober2

‎02-23-2011 12:28 PM

Thanks but I dont want nat exemption

I want a fixed translation from 1 inside address to 1 dmz address

Dave

0 Helpful

Edward Dutra
Cisco Employee
Cisco Employee
In response to dlance

‎02-23-2011 04:10 PM

Hi Dave...

Can give more details of how you want the traffic flow to work. As i read your first response, it does sound like you want NAT exemption.

Do you want the inside IP Natted when going to the DMZ? What IP did you want natted and where does the source of the connection begin?

0 Helpful

dlance
Level 1
Level 1
In response to Edward Dutra

‎02-24-2011 05:16 AM

Traffic would be sourced on the inside network

And would flow to the dmz.

If inside network is 192.168.0.x

and dmz is 172.16.1.x

Traffic would source at 192.168.0.3 and flow to 172.16.1.3

0 Helpful

Edward Dutra
Cisco Employee
Cisco Employee
In response to dlance

‎02-24-2011 10:49 AM

So is there any reason the basic Static configuration wont help you here?

Static config:

static (inside,dmz) 172.16.1.3 192.168.0.3 netmask 255.255.255.255

-------------------

The above would NAT traffic from 192.168.0.3 to 172.16.1.3 when going out the DMZ interface.

Or is the traffic going to a server that has the IP 172.16.1.3? Are you natting one host or the entire inside network to the DMZ? What IP or pool of IPs did you want the inside host or host to have when going to the DMZ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card