02-11-2018 03:56 PM - edited 02-21-2020 07:19 AM
have an ASA I recently upgraded from old code to newer 9.2
In the old code I would add the following static...
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
This would allow hosts in the dmz (with appropriate accompanying acls) to reach things on the inside network (192.168.100.0).
What do I need to do in 9.2 where the static is deprecated?
Solved! Go to Solution.
02-11-2018 06:33 PM
02-11-2018 04:41 PM
Hi
here you're trying to nat 192.168.100.0/24 from DMZ to 192.168.100.0/24 to inside.
I guess you wanted to do nat exemption, right?
To convert your exact statement, it will be:
object network OBJ-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network OBJ-192.168.100.0
subnet 192.168.100.0 255.255.255.0
nat (inside,dmz) source static OBJ-192.168.100.0 OBJ-192.168.100.0
However, if you don't want to nat DMZ when communication going to inside and invert, you'll need to configure it in that way (let's assume your DMZ has subnet 192.168.101.0/24
object network DMZ
subnet 192.168.101.0 255.255.255.0
object network LAN
subnet 192.168.100.0 255.255.255.0
nat (inside,dmz) source static LAN LAN destination static DMZ DMZ
02-11-2018 06:26 PM
Thanks for the response, I believe you have answered my question but I am just not 100% clear on the difference in your two scenarios.
I do not plan on actually translating any addresses when inside talks to DMZ or DMZ talks to inside....
At the moment, I only have a need for a DMZ server to talk to a server on the inside....but in the future I might need hosts on the inside, to be able to talk to the server in the DMZ. In any case, I do not expect any translations to occur. So which of your two scenarios should I use?
Thanks,
02-11-2018 06:33 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: