Solved: Re: ASA5505: NAT DMZ to non interface ip

jeffreymertz · ‎01-24-2011

I need to NAT the DMZ vlan to a non interface IP for internet access.

I was thinking of doing a static command

static (DMZ,outside) 192.168.1.1 1.2.3.4 255.255.255.255

or if I need to do a global nat?

global (DMZ) 2 <external IP>

nat (DMZ) 0 access-list NoVPN_NAT

nat (DMZ) 2 192.168.1.0 255.255.255.0

Federico Coto Fajardo · ‎01-24-2011

Hi,

If you want to NAT a host or network to allow internet access, you can use dynamic NAT (nat/global)

The static NAT is usually to allow inbound access like when you want to make a web server publicly available.

Hope it helps.

Federico.

Yudong Wu · ‎01-24-2011

If the outside need to initiate traffic to dmz host, you need use the static NAT.

Otherwise, the following should work

global (OUTSIDE_Interface_name) 2

nat (DMZ) 0 access-list NoVPN_NAT

nat (DMZ) 2 192.168.1.0 255.255.255.0

Federico Coto Fajardo · ‎01-24-2011

Hi,

If you want to NAT a host or network to allow internet access, you can use dynamic NAT (nat/global)

The static NAT is usually to allow inbound access like when you want to make a web server publicly available.

Hope it helps.

Federico.

Yudong Wu · ‎01-24-2011

If the outside need to initiate traffic to dmz host, you need use the static NAT.

Otherwise, the following should work

global (OUTSIDE_Interface_name) 2

nat (DMZ) 0 access-list NoVPN_NAT

nat (DMZ) 2 192.168.1.0 255.255.255.0

jeffreymertz · ‎01-24-2011

Thanks, I was pretty sure I was close, but didn't feel like testing on a production unit.