NAT question

Unanswered Question
Aug 9th, 2010
User Badges:

global (GT/Bell) 1 interface
global (Allstream/SunGard) 1 interface

nat (dmz) 1
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1

static (inside,dmz) netmask

access-list inside_nat0_outbound; 2 elements
access-list inside_nat0_outbound line 1 extended permit ip any 10.xx.x.x
access-list inside_nat0_outbound line 2 extended permit ip any 10xx.xx.x

My question is ...

If I want my DMZ to NOT NAT when going to my internal network of 10.xx.xx.xx

What do I need? What is above is what exists..

I have a bunch of ideas in my head about what I need but at the same time what I've tried isn't working so I need some advice.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Collin Clark Mon, 08/09/2010 - 13:48
User Badges:
  • Purple, 4500 points or more

Technically speaking you are NATing, but the firewall is NATing with the real IP's.

static (inside,dmz) netmask

There's nothing wrong with doing this. If you really want to prevent NAT, create another ACL and prevent NAT on the interface, just like the one applied to the inside.

nat (dmz) 0 access-list no_nat
access-list no_nat extended permit ip [dmz subnet & mask] [internal subnet & mask]

Hope it helps.


This Discussion