Skip navigation
Login   |   Register
Cisco Learning Home > Certifications > CCIE Security > Discussions


1124 Views 2 Replies Latest reply: Mar 14, 2012 5:50 AM by euchime RSS

Currently Being Moderated

NAT with Virtual IP address

Mar 13, 2012 12:46 PM

euchime 2 posts since
Feb 7, 2010



I have a nagging question about NAT. I thought I nailed it down long time ago, but as you know, knowledge stales if not used frequent.


I am running ASA5510 OS 8.2.2. There are Two Web Servers in DMZ with Virtual IP address I want to NAT so users in network will be NATted to to access the network. For instance, will be translated to


The ASA has four interfaces configured (inside, outside, dmz and dept)


interface GigabitEthernet0/0

speed 1000

duplex full

nameif outside

security-level 0

ip address standby


interface GigabitEthernet0/1

speed 1000

duplex full

nameif inside

security-level 100

ip address standby


interface GigabitEthernet0/2

speed 1000

duplex full

nameif dept

security-level 10

ip address standby


interface GigabitEthernet1/1

speed 1000

duplex full

nameif dmz

security-level 50

ip address standby




global (inside) 1 interface

global (dept) 1 interface

nat (inside) 0 access_nonat1

nat (dept) 0 access_nonat2

nat (dmz) 0 access_nonat3


access-list dept_access extended permit tcp eq 80

static (dept,dmz) netmask


access-group in dept_access in interface dept

access-group in dmz_access in interface dmz

access-group in outside_access in interface outside


This does not work, then when I added the following to NAT traffic from dmz back to dept, I get Asymetric NAT error, reverse path failure

static (dmz,dept) netmask


What am I doing wrong?




More Like This

  • Retrieving data ...

Bookmarked By (0)