Global NAT question

Unanswered Question
Jun 25th, 2007
User Badges:

With the below config, since there is no "nat" for DMZ3, what will that interface see as the source address for traffic getting to servers from the outside interface?




global (outside) 1 interface

global (DMZ2) 1 interface

global (DMZ3) 1 interface

global (DMZ4) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ2) 1 192.168.2.0 255.255.255.0 0 0

nat (DMZ4) 0 access-list nonat2





ip address outside 6.2.1.130 255.255.255.224

ip address inside 10.1.1.1 255.255.255.0

ip address DMZ1 192.168.1.1 255.255.255.0

ip address DMZ2 192.168.2.1 255.255.255.0

ip address DMZ3 192.168.3.1 255.255.255.0

ip address DMZ4 192.168.4.1 255.255.255.0



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Mon, 06/25/2007 - 10:55
User Badges:
  • Green, 3000 points or more

Wilson, I don't see a nat 0 for DMZ3? Nevermind, I misunderstood your question. There needs to be some translation for the traffic to go from DMZ3 to outside.

vitripat Mon, 06/25/2007 - 12:16
User Badges:
  • Gold, 750 points or more

Hi Wilson,


Assuming that you have statics in place for servers on DMZ3 as --


static (DMZ3,outside) X Y


and outside host a.a.a.a is trying to access X, when packet reaches Y (given that ACL on outside interface is permitting access), Y will see the packet coming from a.a.a.a.


This is because there is no "outside" nat configured which would nat packets coming from outside interface.


Hope this helps.


Regards,

Vibhor.

wilson_1234_2 Mon, 06/25/2007 - 12:40
User Badges:

Thanks for the input,


So, is the "1" in:


global (DMZ3) 1 interface


doing anything since there is no "nat" statement?

acomiskey Mon, 06/25/2007 - 13:23
User Badges:
  • Green, 3000 points or more

More than that, the whole statement isn't doing anything because of no nat, not just the 1.

Dhananjeyan Kan... Thu, 10/04/2012 - 07:59
User Badges:

I'd think the global (DMZ3) 1 would be matched when packets entering any interface with a nat (interface) 1 command had to egress the DMZ3 interface to reach their destination.

Actions

This Discussion