DMZ and NAT

Unanswered Question
Jun 8th, 2009
User Badges:
  • Purple, 4500 points or more

Okay,


I have a device on dmz2 that the company apparently does nat for us. I've tried to exempt nat traffic, but it's not working. My dmz interface is 10.45.127.66, and they said that I can source from that address. I've thought about natting the connection, so I need some clarification:


I have the following:


global (OUTSIDE) 1 interface

nat (INSIDE) 0 access-list NONAT

nat (INSIDE) 1 10.128.0.0 255.255.0.0


access-list NONAT line 2 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0



The device in question is in dmz2: 10.45.127.6


My routes point to that device for their specified subnet. The problem that I have is figuring out how to nat this one connection, and if what I'm thinking will break other things:


global (dmz2) 45 interface

nat (inside) 45 10.128.0.0 255.255.0.0

nat (inside) 45 10.1.0.0 255.255.0.0


access-list NONAT line 1 extended permit ip 10.125.0.0 255.255.0.0 10.45.0.0 255.255.0.0

<b>access-list NONAT line 2 extended deny ip 10.128.0.0 255.255.0.0 10.45.137.0 255.255.255.0

access-list NONAT line 2 extended deny ip 10.1.0.0 255.255.0.0 10.45.137.0 255.255.255.0</b>

access-list NONAT line 3 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0

access-list NONAT line 4 extended permit ip 10.129.0.0 255.255.0.0 10.45.0.0 255.255.0.0


These are my proposed changes, but I wanted to verify my thinking. The 10.128.0.0 subnet, when using nat, will still nat out depending on the exit interface they use, correct? So, the nat exemption is the thing that I'm really questioning, or should I create a static translation for them, and will the static take precedence over nat exemption?


Thanks,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 06/08/2009 - 10:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


"The 10.128.0.0 subnet, when using nat, will still nat out depending on the exit interface they use, correct ?"


Yes correct so as you say the only issue is the nat exempt.


Nat exempt takes precedence over everything including static NAT statements so you need to use the config you have above.


Jon

John Blakley Mon, 06/08/2009 - 10:05
User Badges:
  • Purple, 4500 points or more

Jon,


I did and everything's working. =)


Thanks!

John

Jon Marshall Mon, 06/08/2009 - 10:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


That's one of the fastest responses i've seen !!


Glad to hear it's working.


Jon

John Blakley Mon, 06/08/2009 - 10:08
User Badges:
  • Purple, 4500 points or more

LOL! I stay logged into the forum all day. I use firefox, so I have a tab for it. When I get an email, I respond :)

Actions

This Discussion