Nat-C not happening from DMZ to Inside

Navneet Narang · ‎04-15-2014

I was trying to perform NAT-C on ASA 8.2. The setup was pretty simple. I had an Inside (Security-Level 100) interface, DMZ (Security-Level 50) and an Outside Interface (Security-Level 0).

I wanted to perform Nat from DMZ hosts to Inside hosts. When I used "nat" & "global" commands, it didn't work (all required ACLs were in place).

Is it something like NAT-C wont happen for lower security level to higher security level if we use nat & global statements (I know, static statement works in this case but I want to know about nat & global)

Poonam Garg · ‎04-16-2014

NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address. NAT-C will not work when traffic coming from lower security level going towards higher security level.

Navneet Narang · ‎04-16-2014

Thanks, is there any particular reason for "NAT-C will not work when traffic coming from lower security level going towards higher security level." or this is the way its developed ?

And can you please refer to any such link/article/book where this statement resides ?

Poonam Garg · ‎04-16-2014

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_control.html

"Please rate helpful posts"