Jon Marshall Wed, 09/02/2009 - 12:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jeff


No, nat exemption is bidirectional so you can either do


inside net = 192.168.5.0/24

dmz net = 172.16.5.0/24


1) static NAT translation


static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0


this will allow internal hosts to access DMZ hosts and DMZ hosts to access internal hosts


OR


2) access-list NONAT permit ip 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0


nat (inside) 0 access-list NONAT


Technically speaking only 2 is actually not doing NAT but 1) would achieve the same result for you.


Jon

jcw009 Wed, 09/02/2009 - 13:15
User Badges:

So, as long as there is the 'destination' (per the nonat acl) network somewhere on another interface, it doesn't matter which interface it's on for the nat exemption to work. Correct? Because once the traffic passes through the nat 'engine', then it just gets routed to the appropriate interface.


But you still have to apply the nat exemption to an interface, does that mean that it doesn't matter which interface you apply it to?


Maybe I'm overthinking this and missing something.

Jon Marshall Wed, 09/02/2009 - 13:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jeff


"But you still have to apply the nat exemption to an interface, does that mean that it doesn't matter which interface you apply it to? "


I'm assuming when you say this you mean either the inside or dmz interface because obviously if you applied it to a totally different interface it would not have the effect you wanted.


As for applying it to either the inside or dmz interface, to be honest i have ever only applied it on the higher security interface, in this case the inside interface.


Jon

Actions

This Discussion