NAT in the DMZ

Answered Question
Feb 21st, 2012

We are trying to upgrade from 8.2 to 8.3 (or beyond) and want to know if with the changes to NAT do we need to convert all of our NAT rules for access from the DMZ to the internal network. We have some static NAT statements for both single IP's and subnets in addtion to Global NAT statements for NAT and no NAT o the DMZ interface. Can access between the networks be accomplished with ACL's only or do I still have to use NAT?

I have this problem too.
0 votes
Correct Answer by Marvin Rhoads about 2 years 1 month ago

IF that's in place (though ACL is not required from higher security to lower - it's allowed by default) - AND there are no globals etc. affecting it AND your inside interface is at a higher security level than the DMZ - then no you don't need it. However, it doesn't hurt. As you note, it is really a "no nat" statement as written.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Marvin Rhoads Tue, 02/21/2012 - 19:21

I'm not sure if I understand all of your assumptions, but NAT has never been required to allow traffic between interfaces (or security zones). It's generally used between inside and/or DMZ to outside so as to allow one to have an independently managed network using private IP addressing (RFC 1918).

That said, if you're using NAT now, you can continue to do so post-upgrade. The built-in upgrade tool will parse your 8.2 configuration and convert the existing NAT statements as required. There are a few gotchas documented in other threads and a few documents here and elsewhere but generally it works well.

The Cisco TAC is well-versed in supporting such migrations and is happy to help out.

If you're upgrading from 8.2(x), I'd recommend you go straight to the current release - 8.4(3).

emcmanamy Tue, 02/21/2012 - 19:44

Thank you for replying and my apologies for the vauge question. In most of the firewal confirurations I have seen or examples Cisco has provided, there has always been a NAT statement like the one listed below.

static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0

If routing and proper ACL are in place, is there a purpose or need for this type of NAT statement basically stating don't NAT? My apolgies if this seems like a simple question but if the routing and ACL exist why NAT the IP's to the same source and destination.

Thanks,

Eric

Correct Answer
Marvin Rhoads Tue, 02/21/2012 - 20:34

IF that's in place (though ACL is not required from higher security to lower - it's allowed by default) - AND there are no globals etc. affecting it AND your inside interface is at a higher security level than the DMZ - then no you don't need it. However, it doesn't hurt. As you note, it is really a "no nat" statement as written.

Actions

Login or Register to take actions

This Discussion

Posted February 21, 2012 at 6:54 PM
Stats:
Replies:4 Avg. Rating:5
Views:515 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446