We help IT Professionals succeed at work.

Using Dynamic NAT to translate internal addresses to different network on DMZ interface

Last Modified: 2012-05-10
Hello All,

I have a Cisco ASA that has a DMZ interface. I need clients from on the inside to appear on the DMZ interface as 172.24.16.x The DMZ is connected to a VPN hardware device at I need clients to connect through the ASA to the 172.20.x.x 255.255.x.x. I have everything setup up including routes and the global and nat statement. I want make sure my config wioll do this. Thank you.  
Watch Question


Can this be done? I'm not sure if you can use different ip pool for a global command and a different ip on the DMZ interface..

you need to change

nat (DMZ) 2


nat (inside) 2

other than that, the rest looks fine


The minute I add the second statement my clients on the 172.21.174.x 255.255.255.x lose their internet.


Here is my route table:

S [1/0] via, inside
C is directly connected, DMZ
C is directly connected, inside
S [1/0] via, outside
C is directly connected, outside
S* [1/0] via, outside

I have and and on the inside. I looks like once I add the nat (DMZ) inside statement it routes the inside networks to the DMZ interface.. strange..


I removed [1/0] via, outside line and specified the networks I want to go to the VPN device with no go.


Okay...I am now trying to use Policy Nat with global and nat commands. My configuration is below:

access-list Harland_VPN extended permit ip
access-list Harland_VPN extended permit ip
access-list dmz extended permit ip any any
global (outside) 1 interface
global (DMZ) 2 netmask
nat (inside) 1
nat (inside) 2 access-list Harland_VPN
route DMZ
route DMZ
route DMZ
route DMZ

I tried to telnet or ping to the address The connection is closed imediately and I do no not see any entrys in the xlate or conn tables:

6 in use, 284 most used
Global Local
PAT Global Local
PAT Global Local
PAT Global Local
PAT Global Local
PAT Global Local  

TORRANCEASA# sh conn  
58 in use, 164 most used
TCP outside inside, idle 0:00:09, bytes 253159, flags UIOB
TCP outside inside, idle 0:00:11, bytes 81868, flags UIO
TCP outside inside, idle 0:00:27, bytes 157060, flags UIO
TCP outside inside, idle 0:00:04, bytes 86008, flags UIO
TCP outside inside, idle 0:00:27, bytes 81508, flags UIO
TCP outside inside, idle 0:00:04, bytes 142730, flags UIO

My question is should the config work and how can I verify that the Nat translation actually is working? packet capture?  I'm not seeing anything that says the firewall is routing out the DMZ interface towards as the next hop. I need to use a range for the global command so I do not think policy nat with the static command will work. Thank you.

With the existing config you won't see traffic from your inside network towards the DMZ on your translation tables simply because it's not translating them:

Your Harland_VPN doesn't have an entry for the DMZ; In the ther hand you're trying to telnet to, which should send the traffic through the VPN. Because it's a VPN you should not NAT it at all, or the vpn won't work (unless your access-lists on the other end of the VPN are configured for the nat IPs) so you should add:

access-list NONAT extended permit ip

So the firewall doesn't translate these packets.

Do you have a config for the other side of the VPN?

Another thing I noticed is this:

Your VPN Peer is 24.x.x.x

Your destination for is

Since is not your Peer; does this traffic allow VPN traffic through? Is this a router? is there a route towards the other VPN peer?


The tuunel-group is for a tunnel that is disabled. I'm not using that.

I want to send traffic out the DMZ interface appearing as to a third party VPN hardware device connected at The ASA is not doing the VPN. is doing the VPN. Here is a diagram.
Unlock this solution and get a sample of our free trial.
(No credit card required)


Ok I see where I went wrong. I already had the network for the global so the access-list is just to trigger the policy. I added to the access-list since I want the to networks to route. I'll test and see if it works. Thank you.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.