Solved: Adding to the past reply, you

manuscript1 · ‎03-06-2017

Hi

Just looking for some absolute clarity on ASA post 8.4 ( I am on 9.x ) and appreciate feedback :). This is a theoretical question but helps on a looming change I have.

I have three legs on an ASA

Inside / outside and DMZ , security levels 100 /0 / 50 respectively

from outside to inside I have a static NAT so outside internet address 80.80.x x (made up) points to the DMZ server 10.120.120.10 real address (works great )

from inside to DMZ I have a firewall rule that allows the inside 10.150.0.0 to ping 10.120.120.10 ( works great )

question I have is from the DMZ to the Inside .

Can I get away with just a rule that allows 10.120.120.10 to access 10.150.0.0 ?

The question is do I need any NAT at all from the DMZ level 50 to the inside level 100.

I seem to have a lot of already working systems the actual running firewall from the dmz to inside with no nat statements as far as I can tell - but want to be sure I am not missing something .

thanks !

any guidance appreciated !

willwetherman · ‎03-06-2017

Hi,

No you do not need to have NAT configured to allow communication from a lower security interface to higher security interface. All you need is an access rule.

Hope this helps

View solution in original post

anpliego · ‎03-06-2017

Adding to the past reply, you will only need a NAT statement if you attempt to access the servers on DMZ from inside using the Public IP address.

NAT control which on version 8.2 or below is no longer supported on newer versions, if that is what you mean.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/no.html#wp1746857