Re: Best way to do multiple NAT statements on ASA

Discussion in 'Cisco' started by Igor Mamuzić aka Pseto, Jul 13, 2010.

  1. On 25.6.2010. 23:09, Andrew Hodgson wrote:
    > Hi,
    >
    > I have 3 DMZs and an inside network.
    >
    > Inside network is 192.168.1.0/24, DMZ1 is 192.168.2.0/24, DMZ2 is
    > 3.0/24, and DMZ 3 is 4.0/24.
    >
    > I want all networks to be able to talk to each other without NAT
    > (there will be ACLs however).
    >
    >
    >


    The best way is to use no nat-control command, so that firewall doesn't
    require NAT between network segments. However, if you need to use NAT
    from your LAN to the Internet for example then you must (despite 'no
    nat-control') apply NAT /identity NAT / NAT exception rule to that
    traffic going to any lower security level interfaces.
    So, in your case it's best to use nat 0 (nat exception) for traffic
    flowing between your network segments. I think that you even can try to
    use same security level for all DMZs to avoid need for NAT, but I'm not
    sure about it, but doing that you loose ASA's ability to filter traffic
    without configuring giant access-lists.

    Igor
    Igor Mamuzić aka Pseto, Jul 13, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. spork
    Replies:
    4
    Views:
    797
    Vincent C Jones
    Apr 10, 2007
  2. AM

    Deleting NAT statements.

    AM, Mar 28, 2007, in forum: Cisco
    Replies:
    5
    Views:
    1,520
  3. Gerry
    Replies:
    2
    Views:
    1,945
    Morph
    Mar 16, 2008
  4. Morph
    Replies:
    1
    Views:
    465
    moayad
    Jul 19, 2010
  5. Igor Mamuzić aka Pseto

    Re: Puzzling question on new NAT statements on ASA 8.3

    Igor Mamuzić aka Pseto, Jul 23, 2010, in forum: Cisco
    Replies:
    0
    Views:
    715
    Igor Mamuzić aka Pseto
    Jul 23, 2010
Loading...

Share This Page