Translation between DMZ and Inside

Unanswered Question
Mar 20th, 2009


If I have inside traffic going into the DMZ, would my static nat look like:

static (inside,dmz1) netmask

We have several subnets of,, etc.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
JamesLuther Fri, 03/20/2009 - 12:32

Hi John,

Your NAT statement will do identity NAT. ie will not NAT at all, but will still keep in NAT table.

You are probably better of doing NAT exemption by doing

access-list no_nat permit ip

nat (inside) 0 access-list no_nat

Or switch off NAT control globally with

no nat-control


Jon Marshall Fri, 03/20/2009 - 12:35


access-list no_nat permit ip

think this may be a typo ? Assuming is on inside and is on dmz

access-list no_nat permit ip


Jon Marshall Fri, 03/20/2009 - 12:45


Do you mean static NAT or NAT exemption. To be honest i haev always used statics but as James has pointed out there is little point if you don't actually want to NAT.

NAT exemption acl's are bi-directional anyway so there is no reason not to use them.


John Blakley Fri, 03/20/2009 - 12:48

I'm not going to need nat. I'm setting up a new firewall from scratch because I'm converting from a Symantec Gateway. I want to make sure that I can get traffic from my internal to the DMZ and DMZ back without translation. I thought statics would be the best way to do it, and so far mine looks like the one that I posted. I don't have it actually connected into the network yet; that won't be for a few weeks.



Jon Marshall Fri, 03/20/2009 - 12:56


If you don't need NAT at all on your firewall you could turn off NAT as suggested by James.

As i say i have always used statics so i can't disagree with what you have proposed ie. just to be sure we are saying the same thing

static (inside,dmz1)

means the hosts are on the inside and they will be presented to the dmz as the same.



This Discussion