Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
911
Views
15
Helpful
6
Replies

NAT and ACL Statment for DMZ access to inside ,

Go to solution
Ibrahim Jamil
Level 6
Level 6

‎03-21-2018 04:34 AM - edited ‎02-21-2020 07:32 AM

Hello Guys

 

I have E-commerce server on the DMZ, needs to talk to DB server on inside

 

 

E-commerce = 172.16.1.100 on DMZ

 

DB = 192.168.1.100 on inside

 

 

is the below correct

 

object network E-Commerce

host 172.16.1.100

 

object network E-Commerce-Translated

host 17.16.1.100

 

nat (dmz,inside) static E-Commerce-Translated

 

access-list inside_acl permit tcp host 192.168.1.100 host 172.16.1.100 eq 81

 

access-group inside_acl in interface inside

 

thanks all

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Florin Barhala
Level 6
Level 6
In response to Ibrahim Jamil

‎03-22-2018 12:50 AM

1. I think you're confusing NAT for Firewall. NAT manipulates IP while FW grants or not access.
2. I would use NAT in scenarios where for example the DMZ machine has no default gateway. But we just diverge from your scenario.

Did you tried my previous config update?

View solution in original post

6 Replies 6

Go to solution
Florin Barhala
Level 6
Level 6

‎03-21-2018 06:11 AM

I am not sure what's the role of NAT configuration you use:
nat (dmz,inside) static E-Commerce-Translated

I believe pure FW access should be enough. So without NAT here's the FW config:

access-list dmz_acl permit tcp host 172.16.1.100 host 192.168.1.100 eq the_port_number_you_need
access-group dmz_acl in interface dmz


Go to solution
Ibrahim Jamil
Level 6
Level 6
In response to Florin Barhala

‎03-21-2018 10:01 AM - edited ‎03-21-2018 10:06 AM

Hello Florin

 

thanks for ur time to answer my Thread

 

pls allow me to ask couple of questions

 

1)so in cisco ASA code 9.x , NAT isn't required for access from DMZ to inside as lower security interface try to access high security interface ????

 

 

2) when do i need such below NAT , I Mean when do we need to translate DMZ hosts to inside hosts:

nat (dmz,inside) static E-Commerce-Translated

 

 

thanks

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to Ibrahim Jamil

‎03-22-2018 12:50 AM

1. I think you're confusing NAT for Firewall. NAT manipulates IP while FW grants or not access.
2. I would use NAT in scenarios where for example the DMZ machine has no default gateway. But we just diverge from your scenario.

Did you tried my previous config update?

Go to solution
Octavian Szolga
Level 4
Level 4
In response to Ibrahim Jamil

‎03-22-2018 02:06 AM

Hi,

NAT Control is out of everything. No more mandatory NAT config on ASA for a very long time now.

 

Thanks,
Octavian

Go to solution
Ibrahim Jamil
Level 6
Level 6
In response to Octavian Szolga

‎03-23-2018 03:09 AM

Thanks Florin

 

kindly keep ur eyes on my future posts

 

thanks all

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to Ibrahim Jamil

‎03-23-2018 06:38 AM

I ll stick around.
I am back to ASAs after many years wandering on others vendor territory so: "see ya, next time".
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card