Cisco ASA Dynamic NAT with DMZ

This topic is to discuss the following lesson:

Hi Rene,

Do we need to nat from inside to dmz ?




Hi Sims,

Below is part of the config and yes it does require that the lan is natt’d to the DMZ_POOL.
You could also use no-natcontrol which exempts you from having to do nat across the asa’s interfaces.

object network INSIDE_TO_DMZ
nat (INSIDE,DMZ) dynamic DMZ_POOL

Hi Sims & Paul,

NAT control was used on ASA versions before 8.3. Basically it meant that when you wanted to go from a high security level to a lower one (for example LAN to DMZ) that it had to be NAT translated.

With ASA 8.3 and higher, NAT control is disabled and unavailable. You don’t have to configure NAT if you want to access the DMZ from your LAN.


Good to Know thanks Rene

There is no need to configure an access-list ?

No access-list is requires since we go from a high security level to a lower security level:


Only when you go from a low security level to a higher one, you’ll need an access-list:



Hi. I have a question. In the case of newer ASA version, ifname does not work per interface. In order to name interface, i have to create a VLAN and assign it to the interface. Also, NAT was depreciated in newer versions of ASA 9.1 Can you please give some lesson in it.

Thank you.

Hi Andriy,

Which model are you using?

ASA# show version 

Cisco Adaptive Security Appliance Software Version 9.5(1)201
ASA# show run interface GigabitEthernet 0/0
interface GigabitEthernet0/0
 description to R1
 duplex full
 nameif OUTSIDE
 security-level 0
 ip address 

It’s still the same here. Same for the NAT commands.


Hi Rene

As far as I know, by default, ASA will block all traffics from lower into higher area.
In this example, I can’t ping from R1 to and but I can telnet to them.
Why is it?

If we dont create the access-list something like below:

access-list inside-in extended permit ip any any
access-list outside-in extended permit ip any any
access-list dmz-in extended permit ip any any

access-group inside-in in interface INSIDE
access-group outside-in in interface OUTSIDE
access-group dmz-in in interface DMZ

I cant ping to them!

Thank you!

Hi Rene,

How long a NAT router keep track of the Translated database if the session turned off from host end?? suppose inside ip has translated to ip

ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from INSIDE: to OUTSIDE: flags i idle 0:00:33 timeout 3:00:00


Hi Mohammad,

The timeout in your output is 3 hours. This timer will begin when the last connection has been removed. You can see the current connections with the show conn command. It can take a long time before idle TCP connections get cleaned up so it’s possible to configure the ASA to kill these after awhile.



That’s right, the ASA will block traffic from a lower to a higher security level.

It also blocks ICMP traffic by default :slight_smile: If you want to permit it, you’ll need to add an inspect rule:

ASA(config)# policy-map global_policy
ASA(config-pmap)#  class inspection_default
ASA(config-pmap-c)# inspect icmp


Hi Rene

I have the situation quite like your example.
In your example, DMZ zone was assigned public IP, We can access from R1 to R3 (via NAT INSIDE_TO_DMZ) and R2 (via INSIDE_TO_OUTSIDE).
If DMZ zone was assigned private IP address, DMZ want to public (need public ip range from outside interface), we use static nat or port forwarding to point to real server by private IP and some access-list on ASA1 then OUTSIDE can access DMZ.
But How can INSIDE access to DMZ via public IP?


Hi Dinh,

If you want to access your DMZ server from the inside with its public IP address, then you’ll have to configure NAT. This is something I wouldn’t recommend, though…you can use the private IP address to reach the DMZ server from the inside.

To give you an idea, here’s an example where I configure hairpinning for a server on the inside:


ASA1(config)# object network DMZ_POOL
ASA1(config-network-object)# range

==== is this supposed be 200 Please correct me if i am wrong

as the translated address is

Hi Asi,

That’s right, I just fixed this. Thanks for letting me know!


Hi Rene,

Bit confused from the show x-late command output.

Dynamic NAT
ASA1# show xlate
NAT from INSIDE: to OUTSIDE: flags i idle 0:00:33 timeout 3:00:0

With the above configuration, i can understand that the traffic is initiated on INSIDE interface that’s why it’s showing in the show-xlate output:


And now looking at port-forwarding:


show  xlate 
2 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from DMZ: 80-80 to OUTSIDE: 80-80
    flags sr idle 0:02:20 timeout 0:00:00

TCP PAT from DMZ: 22-22 to OUTSIDE: 10022-10022

The connection is initiated from outside trying to access the internal service on a server but still in Xlate shows:

TCP PAT from DMZ: 80-80 to OUTSIDE: 80-80

Is this hard coded - whether or not the connection is initiated from outside will it always shows the same in port forwarding?
Please explain the inverse variation in the values between these two.

Hi Asi,

I understand that this might be confusing. It’s best to let the idea of “traffic is initiated” go :slight_smile: The way you should read this is that all traffic from source IP using source TCP 80 has to be translated to source IP with source TCP 80.

It doesn’t matter if the traffic was originated from outside > inside or inside > outside. If it matches this IP/port then we translate, that’s it.


Accidentally, I have to implement a DMZ configuration on an outdated and unmaintained ASA 5510 firewall (ASA version 8.0(3)6, ASDM version 6.0). After diving into the manual and some forum posts, I’ve learned that there was a major CLI syntax change with a the 8.3 firmware.

Unfortunately, I have to implement the following config on this old CLI version, where I have three interfaces:

outside (example…)

The DMZ has one host, a web server at

I have three objectives to implement:
- to allow all outside IP addresses to access the web server at
- to translate all traffic from the outside interface to the web server at (at least port 80 and 443)
- to allow all inside IP addresses from the network to access the web server at

Could you support with the appropriate 8.0 CLI syntax?

Any help would be very much appreciated…