one to one nat ASA
marcusaureliusbrutus
Member Posts: 73 ■■□□□□□□□□
in CCNP
Hi,
If i have a local network with an IP range of 10.1.0.0/24 connected to the inside interface of my ASA and i have a DMZ connected to the dmz interface of my ASA with IP of 10.1.100.1/32, how do i get the lan to communicate with the dmz? Are the below steps correct?
nat (inside) 2 10.1.0.0 255.255.0.0 0 0
global (dmz) 2 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,dmz) 10.1.100.1 80 netmask 255.255.255.255 10.1.0.0 netmask 255.255.0.0
Thanks in advance.
If i have a local network with an IP range of 10.1.0.0/24 connected to the inside interface of my ASA and i have a DMZ connected to the dmz interface of my ASA with IP of 10.1.100.1/32, how do i get the lan to communicate with the dmz? Are the below steps correct?
nat (inside) 2 10.1.0.0 255.255.0.0 0 0
global (dmz) 2 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,dmz) 10.1.100.1 80 netmask 255.255.255.255 10.1.0.0 netmask 255.255.0.0
Thanks in advance.
Comments
-
marcusaureliusbrutus
Member Posts: 73 ■■□□□□□□□□
Hi,
Been doing some further reading. Is the below config better?
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
access-list permit dmz_int extended permit host 10.1.200.5 any eq www
access-group dmz_int in interface dmz
*allows inside network not to be translated
*allows proxy (10.1.200.5) to respond to hosts queries -
shednik
Member Posts: 2,005
By default the communication should be allowed so if you wanted to allow any traffic from the 10.1.0.0/24 you could just make an access list like thataccess-list NoNat permit ip 10.1.0.0 255.255.255.0 10.1.100.1 255.255.255.255
That will be added to the Nat Exempt rules automatically.