Hi - I'm trying to connect to something through an ASA.

My traffic is coming in on a DMZ interface (security level 0) and going to something on a DMZ3 interface (security level 50).

From the GUI I configured NAT exemption from the source network (on DMZ) to the destination network (on DMZ3) therefore following the guidelines that the translation is set up from most secure to the least secure interface

I have no network connectivity to the host I need to get to

From the GUI I removed the NAT exemption rule and configured a static NAT translation instead, translating the source (on DMZ) to itself (on DMZ3) - still no joy.

The ACLs in place are fine, if I use the packet tracer tool, it fails at the NAT stage;

Config

nat (dmz) 0 0.0.0.0 0.0.0.0

nat-control

match ip dmz any dmz3 any

no translation group, implicit deny

policy_hits = 6

I can't see what's wrong here. I've configured static NAT or NAT exemption between inside and outside or inside and DMZ many times over the last 10 years but can't work this out.

the only thing I can thing of is that there might be a bug that affects DMZ to DMZ NATing, as everything between inside to DMZ and DMZ to Outside works fine.

I found this bug -

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsi89890&from=summary

Which says it's fixed by 8.0(1.37). I tried the workaround anyway, which is to configure static policy NAT, but I still had the same problem.

We are running version 8.0(3) code

Many Thanks in advance

Dom