We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 605 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


361 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Asi,

    The first statement tells the ASA that a device with IP address on the DMZ has to be translated to which is on the outside. On the interfaces we configured to which security-zone it belongs (INSIDE, DMZ or OUTSIDE).

    The direction doesn’t matter…from the outside you can connect to and it will be translated to When initiates traffic that goes from DMZ > outside then it also gets translated to The only thing the ASA cares about is what to translate.

    The same thing applies to the second statement except that the first time when traffic goes from DMZ to OUTSIDE, an IP address from the pool is selected. When the translation is in place, you can also connect from the outside to the pool address if you want…the ASA only cares about what to translate.


  2. Hi Asi,

    As a rule of thumb, you can use (INSIDE,OUTSIDE) or (DMZ,OUTSIDE) when you want to translate the entire subnet of your INSIDE or DMZ to a public IP address.

    (OUTSIDE,INSIDE) or (OUTSIDE,DMZ) can be used for port forwarding.


  3. Hmm that is a good question. I just labbed it up again to make sure it wasn’t a copy/paste mistake or anything. It still shows up as /23. No idea why the ASA shows it like this…perhaps a cosmetic bug.

  4. Thanks Rene . I have sorted out the issue when capturing the packet.Many Thanks

26 more replies! Ask a question or join the discussion by visiting our Community Forum