Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Global NAT question

With the below config, since there is no "nat" for DMZ3, what will that interface see as the source address for traffic getting to servers from the outside interface?

global (outside) 1 interface

global (DMZ2) 1 interface

global (DMZ3) 1 interface

global (DMZ4) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

nat (DMZ1) 1 0 0

nat (DMZ2) 1 0 0

nat (DMZ4) 0 access-list nonat2

ip address outside

ip address inside

ip address DMZ1

ip address DMZ2

ip address DMZ3

ip address DMZ4


Re: Global NAT question

Wilson, I don't see a nat 0 for DMZ3? Nevermind, I misunderstood your question. There needs to be some translation for the traffic to go from DMZ3 to outside.


Re: Global NAT question

Hi Wilson,

Assuming that you have statics in place for servers on DMZ3 as --

static (DMZ3,outside) X Y

and outside host a.a.a.a is trying to access X, when packet reaches Y (given that ACL on outside interface is permitting access), Y will see the packet coming from a.a.a.a.

This is because there is no "outside" nat configured which would nat packets coming from outside interface.

Hope this helps.



New Member

Re: Global NAT question

Thanks for the input,

So, is the "1" in:

global (DMZ3) 1 interface

doing anything since there is no "nat" statement?


Re: Global NAT question

More than that, the whole statement isn't doing anything because of no nat, not just the 1.

Re: Global NAT question

I'd think the global (DMZ3) 1 would be matched when packets entering any interface with a nat (interface) 1 command had to egress the DMZ3 interface to reach their destination.