I’m configuring an ASA for a customer that does not want NAT translation between their internal network and their DMZ. They don’t want NAT in either direction so DMZ servers can connect to internal servers via their actual IP and vice versa. I am preparing the config in advance and won’t have much time to troubleshoot once the firewall is installed in their production environment. I need help with the NAT commands to so there is no translation in either direction but there is NAT when connecting to the Internet.
This is what I have thus far (using different IPs for example purposes):
Access-list EXEMPT extended permit ip any 10.150.10.0 255.255.255.0
Nat (inside) 0 access-list EXEMPT
The above would not translate internal addresses when they go to the DMZ but what entries would I use for when a DMZ server needs to connect to the internal network so the IP isn’t translated? Would I use another Nat 0 line with an ACL or would a static entry listing both the internal and DMZ subnets be better? Would the below entry work to not translate DMZ addresses connecting to internal servers? If not, what entries would work?
Access-list DMZ_EXEMPT extended permit ip any 192.168.1.0 255.255.255.0
Nat (DMZ) 0 access-list DMZ_EXEMPT
Also, would a “global (outside) 1 x.x.x.x netmask x.x.x.x” translate all traffic going to the Internet from both networks even though there is not NAT translation between the internal and DMZ subnets?
Thanks for the assistance!