Hello Naila
Let’s look again at the example that Rene was referring to:
ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200
This statement will cause a translation from host 192.168.1.1 which is on the DMZ to be translated to a static external IP address of 192.168.2.200. This translation functions both ways, meaning that when 192.168.1.1 communicates with devices on the outside, the source address of this communication will be translated to 192.168.2.200, and when any outside devices communicate with 192.168.2.200, this destination address will be translated to 192.168.1.1.
This does not mean that we can switch the DMZ and OUTSIDE keywords in the NAT command and get the same result. The results will indeed be different.
For example, if the following was configured;
ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (OUTSIDE, DMZ) static 192.168.2.200
This statement will cause a translation from host 192.168.1.1 which is on the OUTSIDE to be translated to a static IP address of 192.168.2.200 on the DMZ. This means that when 192.168.1.1 communicates with devices on the DMZ, the source address of this communication will be translated to 192.168.2.200, and when any DMZ devices communicate with 192.168.2.200, this destination address will be translated to 192.168.1.1.
I hope this has been helpful!
Laz