11-16-2009 12:38 AM - edited 02-21-2020 03:47 AM
Hello,
An ASA with inside, outside, DMZ1 and DMZ2 interfaces.(only DMZ are important here)
- DMZ1 have 172.16.1.0/24 , security-level 40
- DMZ2 have 172.20.3.0/24 , security-level 75 and a web server at 172.20.3.8
If I want to let the users from DMZ1 to access the web server from DMZ2, do I need a NAT with real addresses 172.16.1.0/24 and translated addresses 172.20.3.0/24 ?
thank u!
thank u!
11-16-2009 06:33 AM
You can NAT with the real addresses. Here's an example-
static (dmz,dmz2) 172.20.3.0 172.20.3.0 netmask 255.255.255.0
Hope that helps.
11-16-2009 06:57 AM
is this absolutely necesary to NAT ?
If I don't configure NAT, I will not be able to access the web server ?
11-16-2009 07:02 AM
NAT is necessary because you're going from a lower security level interface to a higher one. If you don't configure NAT, you will have no connections and you will receive some logs that state "no translation group found".
11-16-2009 11:04 AM
The only case where you could do away with no nat is if you enable "no nat-conrtrol" and the ASA has routes to the ip addresses and the ACL on the outside interface is open.
PK
11-17-2009 01:17 AM
I am sorry to ask again. But it is not clear to me :)
I know that if you are going from a lower security level to a higher security level , u need an access-list that explicitly permit that traffic and not a NAT translation. So my question is: U need both an access-list and a NAT ?
11-17-2009 06:16 AM
Yes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide