03-20-2009 12:24 PM - edited 03-11-2019 08:08 AM
All,
If I have inside traffic going into the DMZ, would my static nat look like:
static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
We have several subnets of 10.100.0.0, 10.200.0.0, etc.
Thanks,
John
03-20-2009 12:32 PM
Hi John,
Your NAT statement will do identity NAT. ie will not NAT at all, but will still keep in NAT table.
You are probably better of doing NAT exemption by doing
access-list no_nat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list no_nat
Or switch off NAT control globally with
no nat-control
Regards
03-20-2009 12:35 PM
James
access-list no_nat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
think this may be a typo ? Assuming 10.0.0.0/24 is on inside and 10.100.0.0/24 is on dmz
access-list no_nat permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
Jon
03-20-2009 12:40 PM
Which is more preferred? Statics or policy nat?
03-20-2009 12:45 PM
John
Do you mean static NAT or NAT exemption. To be honest i haev always used statics but as James has pointed out there is little point if you don't actually want to NAT.
NAT exemption acl's are bi-directional anyway so there is no reason not to use them.
Jon
03-20-2009 12:48 PM
I'm not going to need nat. I'm setting up a new firewall from scratch because I'm converting from a Symantec Gateway. I want to make sure that I can get traffic from my internal to the DMZ and DMZ back without translation. I thought statics would be the best way to do it, and so far mine looks like the one that I posted. I don't have it actually connected into the network yet; that won't be for a few weeks.
Thanks,
John
03-20-2009 12:56 PM
John
If you don't need NAT at all on your firewall you could turn off NAT as suggested by James.
As i say i have always used statics so i can't disagree with what you have proposed ie. just to be sure we are saying the same thing
static (inside,dmz1) 10.0.0.0 10.0.0.0 255.255.255.0
means the 10.0.0.0/24 hosts are on the inside and they will be presented to the dmz as the same.
Jon
03-20-2009 01:08 PM
Yes exactly :)
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: