No NAT translation between internal network and DMZ

I’m configuring an ASA for a customer that does not want NAT translation between their internal network and their DMZ.  They don’t want NAT in either direction so DMZ servers can connect to internal servers via their actual IP and vice versa.  I am preparing the config in advance and won’t have much time to troubleshoot once the firewall is installed in their production environment.  I need help with the NAT commands to so there is no translation in either direction but there is NAT when connecting to the Internet.

This is what I have thus far (using different IPs for example purposes):

Access-list EXEMPT extended permit ip any
Nat (inside) 0 access-list EXEMPT

The above would not translate internal addresses when they go to the DMZ but what entries would I use for when a DMZ server needs to connect to the internal network so the IP isn’t translated?  Would I use another Nat 0 line with an ACL or would a static entry listing both the internal and DMZ subnets be better?  Would the below entry work to not translate DMZ addresses connecting to internal servers?  If not, what entries would work?

Access-list DMZ_EXEMPT extended permit ip any
Nat (DMZ) 0 access-list DMZ_EXEMPT

Also, would a “global (outside) 1 x.x.x.x netmask x.x.x.x” translate all traffic going to the Internet from both networks even though there is not NAT translation between the internal and DMZ subnets?

Thanks for the assistance!
Who is Participating?
Ken BooneNetwork ConsultantCommented:
so if is the inside network your acl should like like this:

access-list dmz_in extended permit ip
access-group dmz_in in interface dmz

then you could just have the following
global (outside) 1 interface
nat (inside) 1  

That would allow anything that is going from the inside network to the outside network to nat to the outside interface of the asa.

The previous static and ACL will allow communications to the DMZ without nat'ing.

Now I am assuming a few things:
Inside interface security level = 100
outside interface security level = 0
dmz interface securcity level = something between 0 and 100
Ken BooneNetwork ConsultantCommented:
So what you would do is something like this:

static (inside,dmz) netmask

This assumes that is the inside network.

this statement would say that the will be known as on the dmz segment.

You would then need to add an ACL to the dmz segment allowing the DMZ devices to reach the devices.

Since you have done this - you will not need the nat 0 rule you set up as once I create a static assignment like above it works in both directions.

steno1122Author Commented:
Thank you for the reply.  To clarify,  I add the static which you mentioned

static (inside,dmz) netmask

Then I add an ACL something like

access-list dmz_in extended permit ip

Then add a global statement to get to the Internet like

global (outside) 1 (routable IP's) netmask x.x.x.x

Would that work to so there is no NAT on the network but both the internal and DMZ servers can get to the Internet?

Thanks again for the help!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.