cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
915
Views
15
Helpful
6
Replies

NAT and ACL Statment for DMZ access to inside ,

Ibrahim Jamil
Level 6
Level 6

Hello Guys

 

I have E-commerce server on the DMZ, needs to talk to DB server on inside

 

 

E-commerce = 172.16.1.100 on DMZ

 

DB = 192.168.1.100 on inside

 

 

is the below correct

 

object network E-Commerce

host 172.16.1.100

 

object network E-Commerce-Translated

host 17.16.1.100

 

nat (dmz,inside) static E-Commerce-Translated

 

access-list inside_acl permit tcp host 192.168.1.100 host 172.16.1.100 eq 81

 

access-group inside_acl in interface inside

 

thanks all

 

1 Accepted Solution

Accepted Solutions

1. I think you're confusing NAT for Firewall. NAT manipulates IP while FW grants or not access.
2. I would use NAT in scenarios where for example the DMZ machine has no default gateway. But we just diverge from your scenario.

Did you tried my previous config update?

View solution in original post

6 Replies 6

Florin Barhala
Level 6
Level 6
I am not sure what's the role of NAT configuration you use:
nat (dmz,inside) static E-Commerce-Translated

I believe pure FW access should be enough. So without NAT here's the FW config:

access-list dmz_acl permit tcp host 172.16.1.100 host 192.168.1.100 eq the_port_number_you_need
access-group dmz_acl in interface dmz


Hello Florin

 

thanks for ur time to answer my Thread

 

pls allow me to ask couple of questions

 

1)so in cisco ASA code 9.x , NAT isn't required for access from DMZ to inside as lower security interface try to access high security interface ????

 

 

2) when do i need such below NAT , I Mean when do we need to translate DMZ hosts to inside hosts:

nat (dmz,inside) static E-Commerce-Translated

 

 

thanks

1. I think you're confusing NAT for Firewall. NAT manipulates IP while FW grants or not access.
2. I would use NAT in scenarios where for example the DMZ machine has no default gateway. But we just diverge from your scenario.

Did you tried my previous config update?

Hi,

NAT Control is out of everything. No more mandatory NAT config on ASA for a very long time now.

 

Thanks,
Octavian

Thanks Florin

 

kindly keep ur eyes on my future posts

 

thanks all

I ll stick around.
I am back to ASAs after many years wandering on others vendor territory so: "see ya, next time".
Review Cisco Networking for a $25 gift card