Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT in the DMZ

We are trying to upgrade from 8.2 to 8.3 (or beyond) and want to know if with the changes to NAT do we need to convert all of our NAT rules for access from the DMZ to the internal network. We have some static NAT statements for both single IP's and subnets in addtion to Global NAT statements for NAT and no NAT o the DMZ interface. Can access between the networks be accomplished with ACL's only or do I still have to use NAT?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: NAT in the DMZ

IF that's in place (though ACL is not required from higher security to lower - it's allowed by default) - AND there are no globals etc. affecting it AND your inside interface is at a higher security level than the DMZ - then no you don't need it. However, it doesn't hurt. As you note, it is really a "no nat" statement as written.

4 REPLIES
Hall of Fame Super Silver

Re: NAT in the DMZ

I'm not sure if I understand all of your assumptions, but NAT has never been required to allow traffic between interfaces (or security zones). It's generally used between inside and/or DMZ to outside so as to allow one to have an independently managed network using private IP addressing (RFC 1918).

That said, if you're using NAT now, you can continue to do so post-upgrade. The built-in upgrade tool will parse your 8.2 configuration and convert the existing NAT statements as required. There are a few gotchas documented in other threads and a few documents here and elsewhere but generally it works well.

The Cisco TAC is well-versed in supporting such migrations and is happy to help out.

If you're upgrading from 8.2(x), I'd recommend you go straight to the current release - 8.4(3).

New Member

NAT in the DMZ

Thank you for replying and my apologies for the vauge question. In most of the firewal confirurations I have seen or examples Cisco has provided, there has always been a NAT statement like the one listed below.

static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0

If routing and proper ACL are in place, is there a purpose or need for this type of NAT statement basically stating don't NAT? My apolgies if this seems like a simple question but if the routing and ACL exist why NAT the IP's to the same source and destination.

Thanks,

Eric

Hall of Fame Super Silver

Re: NAT in the DMZ

IF that's in place (though ACL is not required from higher security to lower - it's allowed by default) - AND there are no globals etc. affecting it AND your inside interface is at a higher security level than the DMZ - then no you don't need it. However, it doesn't hurt. As you note, it is really a "no nat" statement as written.

New Member

NAT in the DMZ

Thank you for the confirmation and the insight!

525
Views
0
Helpful
4
Replies
CreatePlease to create content