You don't need to do both the static and the (NAT and ACL). Use only one.

Jay,

In you static r u sure you have the right IP, didn't you mean 192.168.2.0 rather than 192.168.5.0?

In addition,

I'm actually trying to do the same thing, but I can't get it to work. I see the conn table, but it doesn't look right. However I did accomplish doing a no nat when going from the inside to the outside and using the ACL like you stated above. The only draw back here is that only ONE NAT 0 statement is allowed. So I cannot enter another one (i.e. to go from the inside to the dmz) it will overwrite my first one.

I tried using

static (inside,dmz) 10.102.60.4 102.102.60.4 netmask 255.255.255.0

where IP 10.102.60.4 is the inside IP address of one of my inside servers.

Am I correct what I'm stating here?

I have a similar scenario, I am using pat(inside to outside) and would like to ssh from inside to a server in my dmz. I tried an acl {access-list dmz permit tcp 142.19.0.0 255.255.255.0 any eq ssh, access-group dmz in interface DMZ} and static mapping {static (inside,DMZ) 142.19.0.13 192.168.1.51 netmask 255.255.255.255 0 0}. I see the sessions being granted but my ssh session times out.

Does anybody have any advice?

You are correct however all I did was add the inside subnet to dmz access list to the nat 0 command (no static needed) the error I was getting was portmap failed so this worked.

Thanks.

This is a very common problem, in the few months that I´m on this forum, I´ve seen many people having trouble understanding how nat, global and static work. In my humble opinion this is poorly documented on CCO, thus having nothing to do with being an idiot, or what so ever :-))

Sometimes I´m still confused why some things are not working the way we think it should work, but I always discovered (at least till now) that if the Cisco ducumentation is followed, it always works.

You should remember the following:

1) When traffic initiates from a higher level security to a lower level security only and no translation are needed you should only use one of the following:

nat <(interface)> 0

nat <(interface)> 0

2) When traffic initiates from a higher level security to a lower level security only and translation are needed you should only use:

nat <(highlevelinterface)>

global <(lowlevelinterface)>

The static command is only needed in case traffic is initiated from a lower securitylevel to a higher securitylevel.

Be aware of one other thing: if static commands do overlap with nat and global commands you could run into unexpected behaviour like this.

Now to the point:

I think you have an overlap within your translations. Check to see if this is true, and if not, then check to see if the appropiate nat/global rules are set for traffic initiated from inside to dmz.

Hope this helps,

Leo

heres one for the books.

I have a dmz with a 10.0.0.0/24 ip range

inside interface uses a 192.168.9.0/24 ip range

I have an smtp and web reverse proxy in the dmz which is accessable from the outside.

The server in the DMZ is configured to access servers on the inside and vice versa by their real ip addresses.

Everything works fine but how it is working i am a little unsure.

I have an access-list applied to the dmz interface, and another applied to the inside interface to allow the servers to communicate between each other based on their real ip addresses.

In order to bypass nat i used the following

nat 0 access-list NoNat

access-list NoNat permit 192.168.9.0 255.255.255.0 10.0.0.0 255.255.255.0

Thus connections initiated from the inside are not nated and can therefore access the DMZ servers by there real IP addresses.

Now this is where it gets weird. If the server in the DMZ initiates communication with the servers on the inside (by their real ip's) it works!. There are no statics applied to the dmz interface.

I have researched this quite a bit and i aggree with you 100% that this is not documented very well at all.

Any ideas how this is working?