Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
1
Replies

Basic question about Nat & DMZ

Go to solution
louis0001
Level 3
Level 3

‎05-24-2016 10:13 AM - edited ‎03-12-2019 12:47 AM

Hi,

If I have two web servers (say 10.1.1.1:80 & 10.1.1.2:81) in a DMZ, is it sufficient enough to add a static NAT or PAT only and the servers will be reachable from outside on those ports?
Or do you need an outgoing dynamic nat in order for those servers to reply outbound?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tim Y
Level 1
Level 1

‎05-24-2016 01:13 PM

Hi there,

It is sufficient to use a static NAT entry for this because the ASA is stateful and will build a connection which allows the traffic to communicate both ways. If you go from outside to inside and use the unidirectional keyword, then the traffic can only be initiated from the outside.

You can learn more of how to configure this scenario here: http://www.internetworkingcareer.com/firewall/configure-nat-asa-firewall/

Regards,

Tim

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Tim Y
Level 1
Level 1

‎05-24-2016 01:13 PM

Hi there,

It is sufficient to use a static NAT entry for this because the ASA is stateful and will build a connection which allows the traffic to communicate both ways. If you go from outside to inside and use the unidirectional keyword, then the traffic can only be initiated from the outside.

You can learn more of how to configure this scenario here: http://www.internetworkingcareer.com/firewall/configure-nat-asa-firewall/

Regards,

Tim

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card