NAT question

Unanswered Question
Aug 9th, 2010

global (GT/Bell) 1 interface
global (Allstream/SunGard) 1 interface

nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,dmz) 10.69.0.0 10.69.0.0 netmask 255.255.0.0

access-list inside_nat0_outbound; 2 elements
access-list inside_nat0_outbound line 1 extended permit ip any 10.xx.x.x 255.255.0.0
access-list inside_nat0_outbound line 2 extended permit ip any 10xx.xx.x 255.255.240.0

My question is ...

If I want my DMZ to NOT NAT when going to my internal network of 10.xx.xx.xx 255.255.240.0

What do I need? What is above is what exists..

I have a bunch of ideas in my head about what I need but at the same time what I've tried isn't working so I need some advice.

Thanks,

BR

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Mon, 08/09/2010 - 13:48

Technically speaking you are NATing, but the firewall is NATing with the real IP's.

static (inside,dmz) 10.69.0.0 10.69.0.0 netmask 255.255.0.0

There's nothing wrong with doing this. If you really want to prevent NAT, create another ACL and prevent NAT on the interface, just like the one applied to the inside.

nat (dmz) 0 access-list no_nat
access-list no_nat extended permit ip [dmz subnet & mask] [internal subnet & mask]

Hope it helps.

Actions

This Discussion