Translation between DMZ and Inside

Unanswered Question
Mar 20th, 2009
User Badges:
  • Purple, 4500 points or more

All,


If I have inside traffic going into the DMZ, would my static nat look like:


static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0


We have several subnets of 10.100.0.0, 10.200.0.0, etc.


Thanks,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JamesLuther Fri, 03/20/2009 - 12:32
User Badges:
  • Silver, 250 points or more

Hi John,


Your NAT statement will do identity NAT. ie will not NAT at all, but will still keep in NAT table.


You are probably better of doing NAT exemption by doing


access-list no_nat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

nat (inside) 0 access-list no_nat


Or switch off NAT control globally with


no nat-control




Regards

Jon Marshall Fri, 03/20/2009 - 12:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


access-list no_nat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0


think this may be a typo ? Assuming 10.0.0.0/24 is on inside and 10.100.0.0/24 is on dmz


access-list no_nat permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0


Jon

John Blakley Fri, 03/20/2009 - 12:40
User Badges:
  • Purple, 4500 points or more

Which is more preferred? Statics or policy nat?

Jon Marshall Fri, 03/20/2009 - 12:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Do you mean static NAT or NAT exemption. To be honest i haev always used statics but as James has pointed out there is little point if you don't actually want to NAT.


NAT exemption acl's are bi-directional anyway so there is no reason not to use them.


Jon

John Blakley Fri, 03/20/2009 - 12:48
User Badges:
  • Purple, 4500 points or more

I'm not going to need nat. I'm setting up a new firewall from scratch because I'm converting from a Symantec Gateway. I want to make sure that I can get traffic from my internal to the DMZ and DMZ back without translation. I thought statics would be the best way to do it, and so far mine looks like the one that I posted. I don't have it actually connected into the network yet; that won't be for a few weeks.


Thanks,

John

Jon Marshall Fri, 03/20/2009 - 12:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


If you don't need NAT at all on your firewall you could turn off NAT as suggested by James.


As i say i have always used statics so i can't disagree with what you have proposed ie. just to be sure we are saying the same thing


static (inside,dmz1) 10.0.0.0 10.0.0.0 255.255.255.0


means the 10.0.0.0/24 hosts are on the inside and they will be presented to the dmz as the same.


Jon

Actions

This Discussion