Translation between DMZ and Inside

Unanswered Question
Mar 20th, 2009

All,

If I have inside traffic going into the DMZ, would my static nat look like:

static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

We have several subnets of 10.100.0.0, 10.200.0.0, etc.

Thanks,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JamesLuther Fri, 03/20/2009 - 12:32

Hi John,

Your NAT statement will do identity NAT. ie will not NAT at all, but will still keep in NAT table.

You are probably better of doing NAT exemption by doing

access-list no_nat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

nat (inside) 0 access-list no_nat

Or switch off NAT control globally with

no nat-control

Regards

Jon Marshall Fri, 03/20/2009 - 12:35

James

access-list no_nat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

think this may be a typo ? Assuming 10.0.0.0/24 is on inside and 10.100.0.0/24 is on dmz

access-list no_nat permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0

Jon

Jon Marshall Fri, 03/20/2009 - 12:45

John

Do you mean static NAT or NAT exemption. To be honest i haev always used statics but as James has pointed out there is little point if you don't actually want to NAT.

NAT exemption acl's are bi-directional anyway so there is no reason not to use them.

Jon

John Blakley Fri, 03/20/2009 - 12:48

I'm not going to need nat. I'm setting up a new firewall from scratch because I'm converting from a Symantec Gateway. I want to make sure that I can get traffic from my internal to the DMZ and DMZ back without translation. I thought statics would be the best way to do it, and so far mine looks like the one that I posted. I don't have it actually connected into the network yet; that won't be for a few weeks.

Thanks,

John

Jon Marshall Fri, 03/20/2009 - 12:56

John

If you don't need NAT at all on your firewall you could turn off NAT as suggested by James.

As i say i have always used statics so i can't disagree with what you have proposed ie. just to be sure we are saying the same thing

static (inside,dmz1) 10.0.0.0 10.0.0.0 255.255.255.0

means the 10.0.0.0/24 hosts are on the inside and they will be presented to the dmz as the same.

Jon

Actions

This Discussion