1. Home
  2. Cisco Systems
  3. Best way to do multiple NAT statements on ASA

Best way to do multiple NAT statements on ASA

Hi,

I have 3 DMZs and an inside network.

Inside network is 192.168.1.0/24, DMZ1 is 192.168.2.0/24, DMZ2 is

3.0/24, and DMZ 3 is 4.0/24.

I want all networks to be able to talk to each other without NAT (there will be ACLs however).

Currently I have NAT statements like this:

static (inside,dmz1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 static (inside,dmz2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 static (inside,dmz3) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

These allow any host from 192.168.1.0/24 to talk to the DMZs (ACL permitting of course).

However, what is the most efficient way to get all the DMZs talking to each other without NAT? Do I have to use commands like:

static (dmz1,dmz2) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 static (dmz1,dmz3) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 static (dmz2,dmz1) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 static (dmz2,dmz3) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 static (dmz3,dmz1) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 static (dmz3,dmz2) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

Is there a more efficient or secure way?

Thanks. Andrew.

Reply to
Andrew Hodgson
Loading thread data ...

| I have 3 DMZs and an inside network. | | Inside network is 192.168.1.0/24, DMZ1 is 192.168.2.0/24, DMZ2 is | 3.0/24, and DMZ 3 is 4.0/24. | | I want all networks to be able to talk to each other without NAT | (there will be ACLs however). | | Currently I have NAT statements like this:

| However, what is the most efficient way to get all the DMZs talking to | each other without NAT? Do I have to use commands like: | Is there a more efficient or secure way?

You can disable the nat control feature. The command is: no nat-control After this you don't need to have nat statements for traffic that goes from one interface to another.

Reply to
Morph

The best way is to use no nat-control command, so that firewall doesn't require NAT between network segments. However, if you need to use NAT from your LAN to the Internet for example then you must (despite 'no nat-control') apply NAT /identity NAT / NAT exception rule to that traffic going to any lower security level interfaces. So, in your case it's best to use nat 0 (nat exception) for traffic flowing between your network segments. I think that you even can try to use same security level for all DMZs to avoid need for NAT, but I'm not sure about it, but doing that you loose ASA's ability to filter traffic without configuring giant access-lists.

Igor

Reply to
Igor Mamuzić a

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.