Hi - I'm trying to connect to something through an ASA.
My traffic is coming in on a DMZ interface (security level 0) and going to something on a DMZ3 interface (security level 50).
From the GUI I configured NAT exemption from the source network (on DMZ) to the destination network (on DMZ3) therefore following the guidelines that the translation is set up from most secure to the least secure interface
I have no network connectivity to the host I need to get to
From the GUI I removed the NAT exemption rule and configured a static NAT translation instead, translating the source (on DMZ) to itself (on DMZ3) - still no joy.
The ACLs in place are fine, if I use the packet tracer tool, it fails at the NAT stage;
Config
nat (dmz) 0 0.0.0.0 0.0.0.0
nat-control
match ip dmz any dmz3 any
no translation group, implicit deny
policy_hits = 6
I can't see what's wrong here. I've configured static NAT or NAT exemption between inside and outside or inside and DMZ many times over the last 10 years but can't work this out.
the only thing I can thing of is that there might be a bug that affects DMZ to DMZ NATing, as everything between inside to DMZ and DMZ to Outside works fine.
I found this bug -
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsi89890&from=summary
Which says it's fixed by 8.0(1.37). I tried the workaround anyway, which is to configure static policy NAT, but I still had the same problem.
We are running version 8.0(3) code
Many Thanks in advance
Dom