cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
484
Views
0
Helpful
4
Replies

DMZ and NAT

John Blakley
VIP Alumni
VIP Alumni

Okay,

I have a device on dmz2 that the company apparently does nat for us. I've tried to exempt nat traffic, but it's not working. My dmz interface is 10.45.127.66, and they said that I can source from that address. I've thought about natting the connection, so I need some clarification:

I have the following:

global (OUTSIDE) 1 interface

nat (INSIDE) 0 access-list NONAT

nat (INSIDE) 1 10.128.0.0 255.255.0.0

access-list NONAT line 2 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0

The device in question is in dmz2: 10.45.127.6

My routes point to that device for their specified subnet. The problem that I have is figuring out how to nat this one connection, and if what I'm thinking will break other things:

global (dmz2) 45 interface

nat (inside) 45 10.128.0.0 255.255.0.0

nat (inside) 45 10.1.0.0 255.255.0.0

access-list NONAT line 1 extended permit ip 10.125.0.0 255.255.0.0 10.45.0.0 255.255.0.0

<b>access-list NONAT line 2 extended deny ip 10.128.0.0 255.255.0.0 10.45.137.0 255.255.255.0

access-list NONAT line 2 extended deny ip 10.1.0.0 255.255.0.0 10.45.137.0 255.255.255.0</b>

access-list NONAT line 3 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0

access-list NONAT line 4 extended permit ip 10.129.0.0 255.255.0.0 10.45.0.0 255.255.0.0

These are my proposed changes, but I wanted to verify my thinking. The 10.128.0.0 subnet, when using nat, will still nat out depending on the exit interface they use, correct? So, the nat exemption is the thing that I'm really questioning, or should I create a static translation for them, and will the static take precedence over nat exemption?

Thanks,

John

HTH, John *** Please rate all useful posts ***
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

John

"The 10.128.0.0 subnet, when using nat, will still nat out depending on the exit interface they use, correct ?"

Yes correct so as you say the only issue is the nat exempt.

Nat exempt takes precedence over everything including static NAT statements so you need to use the config you have above.

Jon

Jon,

I did and everything's working. =)

Thanks!

John

HTH, John *** Please rate all useful posts ***

John

That's one of the fastest responses i've seen !!

Glad to hear it's working.

Jon

LOL! I stay logged into the forum all day. I use firefox, so I have a tab for it. When I get an email, I respond :)

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: