06-25-2007 10:40 AM - edited 03-11-2019 03:34 AM
With the below config, since there is no "nat" for DMZ3, what will that interface see as the source address for traffic getting to servers from the outside interface?
global (outside) 1 interface
global (DMZ2) 1 interface
global (DMZ3) 1 interface
global (DMZ4) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ2) 1 192.168.2.0 255.255.255.0 0 0
nat (DMZ4) 0 access-list nonat2
ip address outside 6.2.1.130 255.255.255.224
ip address inside 10.1.1.1 255.255.255.0
ip address DMZ1 192.168.1.1 255.255.255.0
ip address DMZ2 192.168.2.1 255.255.255.0
ip address DMZ3 192.168.3.1 255.255.255.0
ip address DMZ4 192.168.4.1 255.255.255.0
06-25-2007 10:55 AM
Wilson, I don't see a nat 0 for DMZ3? Nevermind, I misunderstood your question. There needs to be some translation for the traffic to go from DMZ3 to outside.
06-25-2007 12:16 PM
Hi Wilson,
Assuming that you have statics in place for servers on DMZ3 as --
static (DMZ3,outside) X Y
and outside host a.a.a.a is trying to access X, when packet reaches Y (given that ACL on outside interface is permitting access), Y will see the packet coming from a.a.a.a.
This is because there is no "outside" nat configured which would nat packets coming from outside interface.
Hope this helps.
Regards,
Vibhor.
06-25-2007 12:40 PM
Thanks for the input,
So, is the "1" in:
global (DMZ3) 1 interface
doing anything since there is no "nat" statement?
06-25-2007 01:23 PM
More than that, the whole statement isn't doing anything because of no nat, not just the 1.
10-04-2012 07:59 AM
I'd think the global (DMZ3) 1 would be matched when packets entering any interface with a nat (interface) 1 command had to egress the DMZ3 interface to reach their destination.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: