How does NAT on ASA 8.2?

Good day, dear!
Needed help from experienced people in understanding work rules NAT on Cisco ASA software version 8.3 below.

There is a simple standard scheme.
ASA. Her three interfaces:
inside. 192.168.1.0/24. security-level 100
— outside. 100.100.100.2/30. secity-level 0. For simplicity let's take that look directly into provider with ip address 100.100.100.1/30
— DMZ. 172.16.1.0./24. security-level 50.

Default route to outside.

Let's say I want to release all of inside the Internet through a dynamic PAT to the interface. Do:

nat (inside) 1 192.168.1.0 255.255.255.0
global (outiside) 1 interface

As I understand this rule. If the packet with src ip from a grid 192.168.1.0/24 in dst-ip has anything behind it outside to satit in 100.100.100.2.

All Internet packages run. But the packages do not run with these settings from inside to the DMZ. nat corntrol disabled.
Packages start running in that case, if I add nat (inside) 0 with the corresponding ACL type pemit ip 192.168.1.0/24 172.16.1.0/24. Well, I mean, clearly indicate in which case the NAT is not needed.

Obviously created above the NAT rule I know is not true, and it must be understood as — If the packet with src ip from a grid 192.168.1.0/24 runs anywhere to satit it in 100.100.100.2.
It seems to me somewhat illogical, otherwise why specify the global name of the interface (outisde)?

Attention to the question. How all the same correctly to understand the described nat rule? And is it possible to make the circuit working without the "nat 0"rule?

Thanks in advance
October 3rd 19 at 04:29
1 answer
October 3rd 19 at 04:31
Below is a quote from the manual for version 8.2:

NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address.
Source

When NAT control is disabled with the no-nat control command, and a NAT and a global command pair are configured for an interface, the real IP addresses cannot go out on other interfaces unless you define those destinations with the nat 0 access-list command.
Source

Everything works absolutely correctly and the logic rules you understood correctly.
Anyways, nat 0 is needed in my case and without it you can? - bertram11 commented on October 3rd 19 at 04:34
Yes, we need a NAT Exempt, either Static NAT from inside to DMZ. - Elyssa_Klocko commented on October 3rd 19 at 04:37

Find more questions by tags CiscoNetwork administrationComputer networks