If I have an ASA 5520 with an INSIDE interface, a DMZ interface and a WAN interface what would be the best way to configure NAT? If I configure nat-control and a nat (inside) 1 0.0.0.0 0.0.0.0 this will configure everything to be NAT'd when passing from the INSIDE interface out.
My question is what about the devices I want to access in the DMZ from the inside for management etc? I'm guessing the ASA isn't smart enough to realise you're accessing hosts in it's DMZ interface so do you have to configure a nat 0 rule for every subnet within the DMZ you want to access or is there an easier way to do it? It's worth noting that the same devices will be accessing the OUTSIDE network and the DMZ network from the INSIDE network.
Sorry I should have said, the firewall is on 7.2 and cannot be upgraded to version 8 as it does not have enough RAM.
You would configure nat like you have "nat (inside) 1 0 0", but you then would match that nat to a global statement "global (outside) 1 interface". This would nat all outbound traffic as whatever your public address is on the outside interface.
DMZ traffic on the other hand you wouldn't want to nat between your lan and dmz traffic, so you'd create an acl and apply that to your nat 0. Supposed you have 10.10.10.0/24 on the inside and 192.168.1.0/24 in the dmz. You would create an acl and apply it to nat 0:
access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
For DMZ traffic to nat out, you would also create a nat "1" for it to use the same global as your inside:
nat (dmz) 1 192.168.1.0 255.255.255.0
If you have other inside subnets like 220.127.116.11/24, you would just add this to your nonat acl like above.
Thanks for the concise reply. If INSIDE hosts match a 'no Nat' rule to the DMZ I'm assuming they will still have to pass through the access lists I have configured inbound on the INSIDE?
Sent from Cisco Technical Support Android App
That's correct. If you have a rule that denies telnet into the dmz or out from the inside anywhere, then it will be dropped before natted.
Personally, if it were me, I would disable nat control. Remember too, that, ACLs on an ASA, depend on the direction of your traffic. For instance, if you have an outside interface of 0, an inside interface of 100, and let's say a DMZ interface of 50. You do not have to configure any ACLs for a higher security level interface going into a lower level security interface. Now, you can configure an ACL, but you don't have to. If you're going from a lower security level interface to a higher level security interface you will have to configure an ACL, otherwise everything will be dropped by default.
Are you wanting your DMZ network to be nat'd to your inside hosts for security reasons?