06-08-2009 07:49 AM - edited 03-11-2019 08:41 AM
Okay,
I have a device on dmz2 that the company apparently does nat for us. I've tried to exempt nat traffic, but it's not working. My dmz interface is 10.45.127.66, and they said that I can source from that address. I've thought about natting the connection, so I need some clarification:
I have the following:
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list NONAT
nat (INSIDE) 1 10.128.0.0 255.255.0.0
access-list NONAT line 2 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0
The device in question is in dmz2: 10.45.127.6
My routes point to that device for their specified subnet. The problem that I have is figuring out how to nat this one connection, and if what I'm thinking will break other things:
global (dmz2) 45 interface
nat (inside) 45 10.128.0.0 255.255.0.0
nat (inside) 45 10.1.0.0 255.255.0.0
access-list NONAT line 1 extended permit ip 10.125.0.0 255.255.0.0 10.45.0.0 255.255.0.0
<b>access-list NONAT line 2 extended deny ip 10.128.0.0 255.255.0.0 10.45.137.0 255.255.255.0
access-list NONAT line 2 extended deny ip 10.1.0.0 255.255.0.0 10.45.137.0 255.255.255.0</b>
access-list NONAT line 3 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0
access-list NONAT line 4 extended permit ip 10.129.0.0 255.255.0.0 10.45.0.0 255.255.0.0
These are my proposed changes, but I wanted to verify my thinking. The 10.128.0.0 subnet, when using nat, will still nat out depending on the exit interface they use, correct? So, the nat exemption is the thing that I'm really questioning, or should I create a static translation for them, and will the static take precedence over nat exemption?
Thanks,
John
06-08-2009 10:04 AM
John
"The 10.128.0.0 subnet, when using nat, will still nat out depending on the exit interface they use, correct ?"
Yes correct so as you say the only issue is the nat exempt.
Nat exempt takes precedence over everything including static NAT statements so you need to use the config you have above.
Jon
06-08-2009 10:05 AM
Jon,
I did and everything's working. =)
Thanks!
John
06-08-2009 10:07 AM
John
That's one of the fastest responses i've seen !!
Glad to hear it's working.
Jon
06-08-2009 10:08 AM
LOL! I stay logged into the forum all day. I use firefox, so I have a tab for it. When I get an email, I respond :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide