No NAT translation between internal network and DMZ

Hi,
I’m configuring an ASA for a customer that does not want NAT translation between their internal network and their DMZ.  They don’t want NAT in either direction so DMZ servers can connect to internal servers via their actual IP and vice versa.  I am preparing the config in advance and won’t have much time to troubleshoot once the firewall is installed in their production environment.  I need help with the NAT commands to so there is no translation in either direction but there is NAT when connecting to the Internet.

This is what I have thus far (using different IPs for example purposes):

Access-list EXEMPT extended permit ip any 10.150.10.0 255.255.255.0
Nat (inside) 0 access-list EXEMPT

The above would not translate internal addresses when they go to the DMZ but what entries would I use for when a DMZ server needs to connect to the internal network so the IP isn’t translated?  Would I use another Nat 0 line with an ACL or would a static entry listing both the internal and DMZ subnets be better?  Would the below entry work to not translate DMZ addresses connecting to internal servers?  If not, what entries would work?

Access-list DMZ_EXEMPT extended permit ip any 192.168.1.0 255.255.255.0
Nat (DMZ) 0 access-list DMZ_EXEMPT

Also, would a “global (outside) 1 x.x.x.x netmask x.x.x.x” translate all traffic going to the Internet from both networks even though there is not NAT translation between the internal and DMZ subnets?

Thanks for the assistance!
steno1122Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
So what you would do is something like this:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

This assumes that 192.168.1.0 is the inside network.

this statement would say that the 192.168.1.0 will be known as 192.168.1.0 on the dmz segment.

You would then need to add an ACL to the dmz segment allowing the DMZ devices to reach the 192.168.1.0 devices.

Since you have done this - you will not need the nat 0 rule you set up as once I create a static assignment like above it works in both directions.

0
steno1122Author Commented:
Kenboonejr,
Thank you for the reply.  To clarify,  I add the static which you mentioned

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Then I add an ACL something like

access-list dmz_in extended permit ip 162.168.1.0 255.255.255.0 10.150.10.0 255.255.255.0

Then add a global statement to get to the Internet like

global (outside) 1 (routable IP's) netmask x.x.x.x

Would that work to so there is no NAT on the network but both the internal and DMZ servers can get to the Internet?

Thanks again for the help!

0
Ken BooneNetwork ConsultantCommented:
so if 192.168.1.0 is the inside network your acl should like like this:




access-list dmz_in extended permit ip 10.150.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group dmz_in in interface dmz

then you could just have the following
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0  

That would allow anything that is going from the inside network to the outside network to nat to the outside interface of the asa.

The previous static and ACL will allow communications to the DMZ without nat'ing.

Now I am assuming a few things:
Inside interface security level = 100
outside interface security level = 0
dmz interface securcity level = something between 0 and 100
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.