Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

DMZ and NAT

Okay,

I have a device on dmz2 that the company apparently does nat for us. I've tried to exempt nat traffic, but it's not working. My dmz interface is 10.45.127.66, and they said that I can source from that address. I've thought about natting the connection, so I need some clarification:

I have the following:

global (OUTSIDE) 1 interface

nat (INSIDE) 0 access-list NONAT

nat (INSIDE) 1 10.128.0.0 255.255.0.0

access-list NONAT line 2 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0

The device in question is in dmz2: 10.45.127.6

My routes point to that device for their specified subnet. The problem that I have is figuring out how to nat this one connection, and if what I'm thinking will break other things:

global (dmz2) 45 interface

nat (inside) 45 10.128.0.0 255.255.0.0

nat (inside) 45 10.1.0.0 255.255.0.0

access-list NONAT line 1 extended permit ip 10.125.0.0 255.255.0.0 10.45.0.0 255.255.0.0

<b>access-list NONAT line 2 extended deny ip 10.128.0.0 255.255.0.0 10.45.137.0 255.255.255.0

access-list NONAT line 2 extended deny ip 10.1.0.0 255.255.0.0 10.45.137.0 255.255.255.0</b>

access-list NONAT line 3 extended permit ip 10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0

access-list NONAT line 4 extended permit ip 10.129.0.0 255.255.0.0 10.45.0.0 255.255.0.0

These are my proposed changes, but I wanted to verify my thinking. The 10.128.0.0 subnet, when using nat, will still nat out depending on the exit interface they use, correct? So, the nat exemption is the thing that I'm really questioning, or should I create a static translation for them, and will the static take precedence over nat exemption?

Thanks,

John

HTH, John *** Please rate all useful posts ***
4 REPLIES
Hall of Fame Super Blue

Re: DMZ and NAT

John

"The 10.128.0.0 subnet, when using nat, will still nat out depending on the exit interface they use, correct ?"

Yes correct so as you say the only issue is the nat exempt.

Nat exempt takes precedence over everything including static NAT statements so you need to use the config you have above.

Jon

Re: DMZ and NAT

Jon,

I did and everything's working. =)

Thanks!

John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Blue

Re: DMZ and NAT

John

That's one of the fastest responses i've seen !!

Glad to hear it's working.

Jon

Re: DMZ and NAT

LOL! I stay logged into the forum all day. I use firefox, so I have a tab for it. When I get an email, I respond :)

HTH, John *** Please rate all useful posts ***
311
Views
0
Helpful
4
Replies