04-09-2009 01:41 PM - edited 03-11-2019 08:16 AM
My DMZ is 10.45.136.0, 10.45.137.0, and 10.45.138.0.
My inside is 10.0.0.0.
Will I have a problem if I have my static nat stated as:
static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
Or will this work in translating everything correctly? I'm trying to figure out if I should create static nat for every subnet I truly do have instead of trying to combine all of them in one.
Thanks,
John
04-09-2009 02:07 PM
John
From memory i think you should be fine with this. However if it doesn't work then you could do
access-list in_to_dmz permit ip any 10.145.136.0 255.255.255.0
access-list in_to_dmz permit ip any 10.145.137.0 255.255.255.0
access-list in_to_dmz permit ip any 10.145.138.0 255.255.255.0
nat (inside) 0 access-list in_to_dmz
Jon
04-10-2009 05:39 AM
Hi John/John,
Both of your methods will work (I've used both before).
However using a 10/8 static will use identity NAT whereas nat 0 ACL will do NAT exemption. I prefer to use NAT exemption because it's a bit neater and it won't show up in "sh xlate". If you're using identity NAT you can't see the wood for the trees when trying to get a quick view of all your current NATs.
Seeing as NAT exemption bypasses NAT all together perhaps it saves on system resources too???
Regards
04-10-2009 05:45 AM
So, is it better for me to list all of my private networks into my dmz networks to keep from having to use statics?
access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.136.0.0
access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.137.0.0
access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.138.0.0
access-list NONAT permit ip 172.20.0.0 255.255.0.0 10.45.135.0.0
etc?
I'll still need to nat 10.125.x.x and 172.x.x.x traffic to the internet, so I would need to specify what network not to nat to.
Thanks,
John
04-10-2009 03:12 PM
John
You could specify all the inside networks if you wanted or you could just use the catch all 10.0.0.0/8 entry in your nat exemption acl's
access-list NONAT permit ip 10.0.0.0 255.0.0.0 10.45.136.0 255.255.255.0
etc...
"I'll still need to nat 10.125.x.x and 172.x.x.x traffic to the internet, so I would need to specify what network not to nat to."
Yes, that will be fine. Just setup NAT for this as you normally would ie.
nat (inside) 1 10.0.0.0 255.0.0.0
global (outside) 1 interface or
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: