Solved: Re: NAT/PAT Configuration on ASA

Scott Cannon · ‎05-06-2010

Hi Guys,

I have an ASA 5510 running OS image 7.0 (6). I am trying to understand how NAT/PAT works on these boxes.

I have a subnet, 10.0.0.0/24 that access a DMZ (eg. subnet 2.0.0.0/24). When accessing this DMZ I do not want any translation to occur. How do I configure this in the ASA?

I notice a line similar to the following already in place:

static (inside, DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

My question is, doesnt this just PAT everything to 10.0.0.0?

Thanks

Rgds

Scott

Jennifer Halim · ‎05-06-2010

The following line:

static (inside, DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

basically means that no translation will occur for the whole 10.0.0.0/24 network. It's 1:1 NAT to itself, which essentially is no translation as the local and translated subnet in the above static statement is the same.

Inside network can access DMZ network, and vice versa without any translation. From DMZ network to access the inside network, if DMZ interface security level is lower than inside interface, you would need to configure access-list to allow/permit the traffic to be initiated from the DMZ network.

Hope that helps.

View solution in original post

Jennifer Halim · ‎05-06-2010

The following line:

static (inside, DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

basically means that no translation will occur for the whole 10.0.0.0/24 network. It's 1:1 NAT to itself, which essentially is no translation as the local and translated subnet in the above static statement is the same.

Inside network can access DMZ network, and vice versa without any translation. From DMZ network to access the inside network, if DMZ interface security level is lower than inside interface, you would need to configure access-list to allow/permit the traffic to be initiated from the DMZ network.

Hope that helps.

Scott Cannon · ‎05-06-2010

Thanks so much