Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
4
Helpful
3
Replies

NAT Exemption from DMZ to Inside

AdnanShahid
Level 1
Level 1

‎01-30-2011 08:46 AM - edited ‎03-11-2019 12:42 PM

Hi,

I am having ASA 5540 with 3 interface, outside, inside (172.16.1.254) and dmz (172.16.254.254). 1 of my DMZ server (172.16.254.251) needs to access 1 of my inside server which having IP 172.16.1.250).

Now 1 way to do this is to add static NAT (to publish Inside server to DMZ with another DMZ IP) and allow the IP addresses in the DMZ ACL. This way the DMZ server will access the DMZ mapped IP of the inside server and get access.Such as:


     access-list DMZ extended permit ip 172.16.254.251 host 172.16.1.250
     static (inside,dmz) 172.16.254.250 172.16.1.250 netmask 255.255.255.255

But this solution causing problem in my scenerio as we have this kind of requirements for many services and we are running short of DMZ IP.

Is there any other solution like NAT Exemption or NAT 0 which I can implement. Can anyone help me on this. Please let me know. Thanks in advance.

BR//

Adnan

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-30-2011 08:57 AM

Hi,

You can use Identity NAT with the static command:

     access-list DMZ extended permit ip 172.16.254.251 host 172.16.1.250
     static (inside,dmz) 172.16.1.250 172.16.1.250 netmask 255.255.255.255

In this way the inside server  172.16.1.250 will be ''seen'' in the DMZ as itself (172.16.1.250).

You are not wasting any IPs.

Another option is to use NAT 0 with an ACL, but the above should work for you.

Hope it helps.

Federico.

AdnanShahid
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-30-2011 09:36 AM

Thanks a lot Federico.

I was thinking of this answer of using the Identity NAT but was not sure and confident enough about this. Thanks a lot for letting me know.

However I was searching the netpro discussion forum for last couple of hours and got another possible answer of NAT 0. Here it is what I got.

     nat (inside) 0 access-list inside-nat-exempt
     access-list inside-nat-exempt permit ip host  host 172.16.1.250 host 172.16.254.251

I guess this will also work. Please let me share your opininion. I have attached the discussion too.


Anywayzz, hope I will be able to do the configuration tomorrow  that you have provided me and do the testing. Thanks a lot again.

BR//

Adnan

79560-3052463.htm.zip
0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to AdnanShahid

‎01-30-2011 09:47 AM

Yes.

Either way (identity static NAT or NAT 0 ACL) will help you.

The reason is that both methods are bidirectional.

The difference being that NAT 0 ACL takes precedence.


Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card