one to one nat ASA

Hi,

If i have a local network with an IP range of 10.1.0.0/24 connected to the inside interface of my ASA and i have a DMZ connected to the dmz interface of my ASA with IP of 10.1.100.1/32, how do i get the lan to communicate with the dmz? Are the below steps correct?

nat (inside) 2 10.1.0.0 255.255.0.0 0 0
global (dmz) 2 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,dmz) 10.1.100.1 80 netmask 255.255.255.255 10.1.0.0 netmask 255.255.0.0

Thanks in advance.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

marcusaureliusbrutus

Hi,

Been doing some further reading. Is the below config better?

static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
access-list permit dmz_int extended permit host 10.1.200.5 any eq www
access-group dmz_int in interface dmz

*allows inside network not to be translated
*allows proxy (10.1.200.5) to respond to hosts queries

shednik

By default the communication should be allowed so if you wanted to allow any traffic from the 10.1.0.0/24 you could just make an access list like that

access-list NoNat permit ip 10.1.0.0 255.255.255.0 10.1.100.1 255.255.255.255

That will be added to the Nat Exempt rules automatically.