Doubt about nat0

Unanswered Question
Jul 15th, 2008


I am having doubt about nat0. Following is my nat controller list


global (outside) 10 interface

global (dmz-MHR) 10 interface

global (dmz-vendor) 10 interface

global (dmz-vendor) 5 MHR-redhat-PUB

nat (inside) 0 access-list inside_nat0_acl

nat (inside) 5 access-list redhat_nat

nat (inside) 10

nat (dmz-MHR) 0 access-list NoNatAll

nat (dmz-remote) 0 access-list NoNatAll

nat (dmz-vpn-internal) 0 access-list dmz-vpn-internal_nat0_outbound

nat (vendor2-Network) 0 access-list NoNatAll

nat0 is working well for defined list. But I am having doubt whether I need to create nat0 in the outside interface so that specific traffic coming from outside to inside or from inside to outside will be natted.

Please clarify this basic doubt.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dhananjoy chowdhury Tue, 07/15/2008 - 22:30


It depends on your setup, if the outside interface is having Public IP then nat0 is not required for traffic from inside to outside.

Because the inside IP subnet is not routable at the outside, so NAT is required.

Now if we have a scenario, wherein the Inside IP subnet is routable in the outside zone then you can go for nat0.

sivakumar.ks Wed, 07/16/2008 - 01:40

Yes, I understand that. But for example my inside interface network subnet is and there is a secondary data which has a firewall and all VPN's are terminated to that firewall and my inside network is communicating via outside interface to that firewall , so in that firewall I am receiving the outside interface IP address only i.e Public IP address. But I want to view the individual inside IP addresses in that log.

How can I achieve that?

I had a trail run NAT as shown below and it was working. Following is the trail run

Static (inside,outside) netmask

But I have one to one nat currently communicating from inside to outside example

Static (inside,outside) netmask

I want to achieve the following nat and I have a doubt whether it will affect existing one to one nat .(Static (inside,outside) netmask, or do I need to create nat0 in the outside interface to achieve this.

Nat which I want to achieve is , which will allow inside traffic as it is to outside(without nat).

Static (inside,outside) netmask

Please help me.


dhananjoy chowdhury Wed, 07/16/2008 - 02:44


The best way to do is configure a Access-list.

Suppose is the inside network and there is a network, then create access list first and then do a nat0.

this is same as somewhat you already have in your config.

access-list nonat_allow_acl permit ip

then do nat0

nat (inside) 0 access-list nonat_allow_acl

The only difference is it won't particular traffic as mentioned in the ACL.

But if you give the static statement as below as it will do nonat for all traffic from inside to outside

Static (inside,outside) netmask

Hope this helps


This Discussion