2 Replies Latest reply: Mar 14, 2012 5:50 AM by euchime RSS

    NAT with Virtual IP address




      I have a nagging question about NAT. I thought I nailed it down long time ago, but as you know, knowledge stales if not used frequent.


      I am running ASA5510 OS 8.2.2. There are Two Web Servers in DMZ with Virtual IP address I want to NAT so users in network will be NATted to to access the network. For instance, will be translated to


      The ASA has four interfaces configured (inside, outside, dmz and dept)


      interface GigabitEthernet0/0

      speed 1000

      duplex full

      nameif outside

      security-level 0

      ip address standby


      interface GigabitEthernet0/1

      speed 1000

      duplex full

      nameif inside

      security-level 100

      ip address standby


      interface GigabitEthernet0/2

      speed 1000

      duplex full

      nameif dept

      security-level 10

      ip address standby


      interface GigabitEthernet1/1

      speed 1000

      duplex full

      nameif dmz

      security-level 50

      ip address standby




      global (inside) 1 interface

      global (dept) 1 interface

      nat (inside) 0 access_nonat1

      nat (dept) 0 access_nonat2

      nat (dmz) 0 access_nonat3


      access-list dept_access extended permit tcp eq 80

      static (dept,dmz) netmask


      access-group in dept_access in interface dept

      access-group in dmz_access in interface dmz

      access-group in outside_access in interface outside


      This does not work, then when I added the following to NAT traffic from dmz back to dept, I get Asymetric NAT error, reverse path failure

      static (dmz,dept) netmask


      What am I doing wrong?