Hi Group, Not to keep answering my own questions, but to test the theory I was wondering about, I removed the Outside interface config's from the ASA so that the DMZ interface now had the lowest security level on the ASA, and at that point it too started requiring NAT.
Not sure if this is just coincidence or if NAT is only required for the Virtual IP when used on the lowest security level interface on the ASA. Anyone have any other info' / experiences regarding this? Thanks, Jason On Fri, Sep 14, 2012 at 10:54 PM, Jason Madsen <[email protected]>wrote: > Hi Group, > > I've found that when using Virtual Telnet that I do not need any NAT > entries for the Virtual IP when doing this configuration on an Inside > interface (security level 100) and on a DMZ interface (security level 50), > but I do need a NAT statement for the Virtual IP when doing this > configuration on the Outside (Security level 0). I have NAT-Control turned > off and tested with no NAT configured whatsoever. > > At first when I tested on the Inside I assumed it had something to do with > security levels respective to the interface the ACS server could be reached > from, but then I tested this config' on my DMZ interface which had a lower > security level than my ACS-facing interface and it still worked without a > corresponding NAT statement. > > Next I thought maybe the NAT requirement is only for interfaces with a > security level of 0, so I changed my outside interface to a level of 15. > Still the lowest on the ASA, but not 0. NAT was still required though. > Additionally, not only was it required, but it worked regardless if I > specified Inside or DMZ as the real address interface in the NAT statement > e.g. static (inside,outside) x.x.x.x x.x.x.x and static (dmz,outside) > x.x.x.x x.x.x.x. > > Any ideas? Is NAT for the Virtual IP just a requirement for the lowest > security level interface on the ASA? Seems like I'm missing something > here. > > BTW, I had inbound "permit ip any any" on both the outside and dmz > interfaces. > > Thanks, > Jason >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
