cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

367
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA5505: NAT DMZ to non interface ip

I need to NAT the DMZ vlan to a non interface IP for internet access.

I was thinking of doing a static command

static (DMZ,outside) 192.168.1.1 1.2.3.4 255.255.255.255

or if I need to do a global nat?

global (DMZ) 2 <external IP>

nat (DMZ) 0 access-list NoVPN_NAT

nat (DMZ) 2 192.168.1.0 255.255.255.0

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Re: ASA5505: NAT DMZ to non interface ip

Hi,

If you want to NAT a host or network to allow internet access, you can use dynamic NAT (nat/global)

The static NAT is usually to allow inbound access like when you want to make a web server publicly available.

Hope it helps.


Federico.

View solution in original post

Highlighted
Rising star

Re: ASA5505: NAT DMZ to non interface ip

If the outside need to initiate traffic to dmz host, you need use the static NAT.

Otherwise, the following should work

global (OUTSIDE_Interface_name) 2

nat (DMZ) 0 access-list NoVPN_NAT

nat (DMZ) 2 192.168.1.0 255.255.255.0

View solution in original post

3 REPLIES 3
Highlighted

Re: ASA5505: NAT DMZ to non interface ip

Hi,

If you want to NAT a host or network to allow internet access, you can use dynamic NAT (nat/global)

The static NAT is usually to allow inbound access like when you want to make a web server publicly available.

Hope it helps.


Federico.

View solution in original post

Highlighted
Rising star

Re: ASA5505: NAT DMZ to non interface ip

If the outside need to initiate traffic to dmz host, you need use the static NAT.

Otherwise, the following should work

global (OUTSIDE_Interface_name) 2

nat (DMZ) 0 access-list NoVPN_NAT

nat (DMZ) 2 192.168.1.0 255.255.255.0

View solution in original post

Highlighted
Beginner

Re: ASA5505: NAT DMZ to non interface ip

Thanks, I was pretty sure I was close, but didn't feel like testing on a production unit.