cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
618
Views
5
Helpful
3
Replies

what xlate for low to high sec interfaces in 9.2?

slug420
Level 1
Level 1

have an ASA I recently upgraded from old code to newer 9.2

 

In the old code I would add the following static...

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

This would allow hosts in the dmz (with appropriate accompanying acls) to reach things on the inside network (192.168.100.0).

 

What do I need to do in 9.2 where the static is deprecated?

 

 

1 Accepted Solution

Accepted Solutions

This is what i thought. User my last config:

object network DMZ

subnet 192.168.101.0 255.255.255.0

object network LAN
subnet 192.168.100.0 255.255.255.0

nat (inside,dmz) source static LAN LAN destination static DMZ DMZ


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

here you're trying to nat 192.168.100.0/24 from DMZ to 192.168.100.0/24 to inside.

I guess you wanted to do nat exemption, right?

 

To convert your exact statement, it will be:

object network OBJ-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network OBJ-192.168.100.0
subnet 192.168.100.0 255.255.255.0
nat (inside,dmz) source static OBJ-192.168.100.0 OBJ-192.168.100.0

 

However, if you don't want to nat DMZ when communication going to inside and invert, you'll need to configure it in that way (let's assume your DMZ has subnet 192.168.101.0/24

object network DMZ

 subnet 192.168.101.0 255.255.255.0

object network LAN
subnet 192.168.100.0 255.255.255.0

nat (inside,dmz) source static LAN LAN destination static DMZ DMZ

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks for the response, I believe you have answered my question but I am just not 100% clear on the difference in your two scenarios.

 

I do not plan on actually translating any addresses when inside talks to DMZ or DMZ talks to inside....

 

At the moment, I only have a need for a DMZ server to talk to a server on the inside....but in the future I might need hosts on the inside, to be able to talk to the server in the DMZ.  In any case, I do not expect any translations to occur.  So which of your two scenarios should I use?

 

Thanks,

 

This is what i thought. User my last config:

object network DMZ

subnet 192.168.101.0 255.255.255.0

object network LAN
subnet 192.168.100.0 255.255.255.0

nat (inside,dmz) source static LAN LAN destination static DMZ DMZ


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: