Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Global NAT question

With the below config, since there is no "nat" for DMZ3, what will that interface see as the source address for traffic getting to servers from the outside interface?

global (outside) 1 interface

global (DMZ2) 1 interface

global (DMZ3) 1 interface

global (DMZ4) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ2) 1 192.168.2.0 255.255.255.0 0 0

nat (DMZ4) 0 access-list nonat2

ip address outside 6.2.1.130 255.255.255.224

ip address inside 10.1.1.1 255.255.255.0

ip address DMZ1 192.168.1.1 255.255.255.0

ip address DMZ2 192.168.2.1 255.255.255.0

ip address DMZ3 192.168.3.1 255.255.255.0

ip address DMZ4 192.168.4.1 255.255.255.0

5 REPLIES
Green

Re: Global NAT question

Wilson, I don't see a nat 0 for DMZ3? Nevermind, I misunderstood your question. There needs to be some translation for the traffic to go from DMZ3 to outside.

Silver

Re: Global NAT question

Hi Wilson,

Assuming that you have statics in place for servers on DMZ3 as --

static (DMZ3,outside) X Y

and outside host a.a.a.a is trying to access X, when packet reaches Y (given that ACL on outside interface is permitting access), Y will see the packet coming from a.a.a.a.

This is because there is no "outside" nat configured which would nat packets coming from outside interface.

Hope this helps.

Regards,

Vibhor.

New Member

Re: Global NAT question

Thanks for the input,

So, is the "1" in:

global (DMZ3) 1 interface

doing anything since there is no "nat" statement?

Green

Re: Global NAT question

More than that, the whole statement isn't doing anything because of no nat, not just the 1.

Re: Global NAT question

I'd think the global (DMZ3) 1 would be matched when packets entering any interface with a nat (interface) 1 command had to egress the DMZ3 interface to reach their destination.

178
Views
10
Helpful
5
Replies