James

access-list no_nat permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

think this may be a typo ? Assuming 10.0.0.0/24 is on inside and 10.100.0.0/24 is on dmz

access-list no_nat permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0

Jon

Which is more preferred? Statics or policy nat?

John

Do you mean static NAT or NAT exemption. To be honest i haev always used statics but as James has pointed out there is little point if you don't actually want to NAT.

NAT exemption acl's are bi-directional anyway so there is no reason not to use them.

Jon

I'm not going to need nat. I'm setting up a new firewall from scratch because I'm converting from a Symantec Gateway. I want to make sure that I can get traffic from my internal to the DMZ and DMZ back without translation. I thought statics would be the best way to do it, and so far mine looks like the one that I posted. I don't have it actually connected into the network yet; that won't be for a few weeks.

Thanks,

John

John

If you don't need NAT at all on your firewall you could turn off NAT as suggested by James.

As i say i have always used statics so i can't disagree with what you have proposed ie. just to be sure we are saying the same thing

static (inside,dmz1) 10.0.0.0 10.0.0.0 255.255.255.0

means the 10.0.0.0/24 hosts are on the inside and they will be presented to the dmz as the same.

Jon

Yes exactly :)

Thanks!