04-20-2010 11:33 AM - edited 03-11-2019 10:35 AM
Can anyone tell me what these NAT statements are doing? Is this just a way of doing a NAT exemption between two interfaces?
static (DMZ,inside) 172.22.8.0 172.22.8.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 172.22.9.0 172.22.9.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.167.0 192.168.167.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.77.0 192.168.77.0 netmask 255.255.255.0 0 0
Thanks!
Solved! Go to Solution.
04-20-2010 11:40 AM
jgagznos wrote:
Can anyone tell me what these NAT statements are doing? Is this just a way of doing a NAT exemption between two interfaces?
static (DMZ,inside) 172.22.8.0 172.22.8.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 172.22.9.0 172.22.9.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.167.0 192.168.167.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.77.0 192.168.77.0 netmask 255.255.255.0 0 0Thanks!
They are presenting the DMZ networks to the inside as the same addresses. So in effect you are Natting but only to the same addresses.
Why this is happening i'm not sure as it is more common to see -
static (inside,DMZ) .... statements because you do not need a static statement to go from a higher to lower security interface so not sure what they are achieving.
Jon
04-20-2010 11:40 AM
jgagznos wrote:
Can anyone tell me what these NAT statements are doing? Is this just a way of doing a NAT exemption between two interfaces?
static (DMZ,inside) 172.22.8.0 172.22.8.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 172.22.9.0 172.22.9.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.168.0 192.168.168.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.167.0 192.168.167.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 192.168.77.0 192.168.77.0 netmask 255.255.255.0 0 0Thanks!
They are presenting the DMZ networks to the inside as the same addresses. So in effect you are Natting but only to the same addresses.
Why this is happening i'm not sure as it is more common to see -
static (inside,DMZ) .... statements because you do not need a static statement to go from a higher to lower security interface so not sure what they are achieving.
Jon
04-20-2010 11:43 AM
Thanks, Jon - that makes sense and clarifies things for me. I'm thinking that some of these statements are not really necessary (as you pointed out). I appreciate the response!
04-20-2010 11:56 AM
It may be in use to allow Devices on the DMZ to make inbound connections, since most Inside addresses get PAT'd. So, if something needs to come Inside from the DMZ this would address the NAT requirement, but you would still need an ACL to allow the lower to higher communication.
04-20-2010 12:14 PM
itrsllcceo wrote:
It may be in use to allow Devices on the DMZ to make inbound connections, since most Inside addresses get PAT'd. So, if something needs to come Inside from the DMZ this would address the NAT requirement, but you would still need an ACL to allow the lower to higher communication.
Richard
Thats not quite correct. If devices on the DMZ need to make inbound connections to the inside then you would use a
static (inside,DMZ) .. statement.
so
static (inside,DMZ) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 means
1) any inside source addresses of 192.168.5.x going to the DMZ will be presented as 192.168.5.x on the DMZ
2) any destination addresses of 192.168.5.x from devices on the DMZ to the inside will go to the same 192.168.5.x address on the inside
static (DMZ,inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 means
1) any DMZ source addresses of 192.168.5.x going to the inside will be presented as 192.168.5.x on the inside
2) any destination addresses of 192.168.5.x from devices on the inside will go to the same 192.168.5.x address on the DMZ
put more simply the static (inside,DMZ) statement assumes the IPs of 192.168.5.x are on the inside machines and the static (DMZ,inside) assumes the IPs of 192.168.5.x are on the DMZ machines.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: