Newbie, Nat0 access-list bidirectional Question?

Unanswered Question
Apr 1st, 2007
User Badges:

Hi if I want traffic to be initiated from the inside and dmz without translation. I understand I can accomplish this by doing a

transparent translation like:


static(inside, dmz) inside address, inside address netmask...



however if I was to use nat0 access list such as..


nat (inside) 0 access-list noNatInside

access list noNatInside permit inside address to dmz address



do I also need...



nat (dmz) 0 access-list noNatDMZ

access list noNatInside permit dmz address to inside address




or is the nat0 access list, noNatInside bidirectional in that it will allow the reverse reading of, dmz to inside initialited traffic, provided the ACL exist to permit the traffic ofcourse.


thanks in advace

hermo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sun, 04/01/2007 - 10:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Is this a pix firewall ?


You can turn off NAT altogether with v7.0 for the Pix or ASA.


But assuming you don't want to turn off NAT or you can't because your are running an earlier version of code, if you want traffic to be initiated from the DMZ to the inside you will need the static statement.


If traffic was only ever initiated from inside to the DMZ you would be fine with your "nat (inside) 0 access-list NoNatinside" statement.


HTH


Jon




David White Mon, 04/02/2007 - 19:43
User Badges:
  • Cisco Employee,

Just a correction to Jon's post.


NAT 0 with an ACL is bi-directional. Meaning hosts on lower security level interface (like your DMZ) will be able to initiate connections to host on higher security level interfaces (like your inside). (Assuming the ACL on the dmz interface permit the connections.)


NAT 0 with a network (ie: nat (inside) 0 10.10.10.0 255.255.255.0) works as Jon described. Hosts on the dmz would not be able to initiate the connection.


Sincerely,


David.

Jon Marshall Wed, 04/04/2007 - 02:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

David


Many thanks for that. I wasn't aware that the acl with NAT 0 was bi-directional.


Jon

Actions

This Discussion