Global NAT question

Unanswered Question
Jun 25th, 2007

With the below config, since there is no "nat" for DMZ3, what will that interface see as the source address for traffic getting to servers from the outside interface?

global (outside) 1 interface

global (DMZ2) 1 interface

global (DMZ3) 1 interface

global (DMZ4) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

nat (DMZ1) 1 0 0

nat (DMZ2) 1 0 0

nat (DMZ4) 0 access-list nonat2

ip address outside

ip address inside

ip address DMZ1

ip address DMZ2

ip address DMZ3

ip address DMZ4

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
acomiskey Mon, 06/25/2007 - 10:55

Wilson, I don't see a nat 0 for DMZ3? Nevermind, I misunderstood your question. There needs to be some translation for the traffic to go from DMZ3 to outside.

vitripat Mon, 06/25/2007 - 12:16

Hi Wilson,

Assuming that you have statics in place for servers on DMZ3 as --

static (DMZ3,outside) X Y

and outside host a.a.a.a is trying to access X, when packet reaches Y (given that ACL on outside interface is permitting access), Y will see the packet coming from a.a.a.a.

This is because there is no "outside" nat configured which would nat packets coming from outside interface.

Hope this helps.



wilson_1234_2 Mon, 06/25/2007 - 12:40

Thanks for the input,

So, is the "1" in:

global (DMZ3) 1 interface

doing anything since there is no "nat" statement?

acomiskey Mon, 06/25/2007 - 13:23

More than that, the whole statement isn't doing anything because of no nat, not just the 1.

Dhananjeyan Kan... Thu, 10/04/2012 - 07:59

I'd think the global (DMZ3) 1 would be matched when packets entering any interface with a nat (interface) 1 command had to egress the DMZ3 interface to reach their destination.


This Discussion