2

Testing in a lab...I have a VLAN directly attached to a Cisco ASA 5520 that contains host machines who use IPs from a public address space, 11.11.11.0/26 for example. The ASA has two interfaces this dmz interface containing the hosts on the 11.11.11.0/26 and an outside interface containing a /30 peering point to an ASR running BGP etc.

Is there a way to configure the ASA to allow connectivity to and from this 11.11.11.0/26 without having to put in NAT statements since both interfaces are two different security-levels?

  • dmz security-level 50 (11.11.11.1/26)

  • outside security-level 0 (11.11.11.65/30) to ASR

Thanks for everyones help in advance!

Improve this question

1 Answer 1

Reset to default
1

Disable nat-control. Apply permit acl to outside interface.

Improve this answer
4
  • Hmm, the command errors as it is depreciated, I am running 8.4.2 Commented Sep 13, 2016 at 20:33
  • After 8.3 there is no nat-control. So you should configure nat exemption. Here is how you can achieve that: object network LOCAL_LAN subnet 11.11.11.0 255.255.255.192 object network REMOTE_LAN subnet 11.11.11.64 255.255.255.252 nat (dmz,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN Commented Sep 13, 2016 at 20:47
  • Thank Nuran, that is as far as I got however I can't specify "any" as the REMOTE_LAN?? for example what if it is 11.11.11.11 to 8.8.8.8, how do I ensure no nat control is happening? Commented Sep 14, 2016 at 12:31
  • So apparently i didn't assign my outside ACL to my outside interface via access-group command. I figured it out when I did a packet-tracer and it kept saying it was denied by ACL. Thanks for your help. Commented Sep 14, 2016 at 13:24

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.