Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

bma
New Member

NAT question

Hi

What is for static (inside dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.255 0 0? Is it no nat for the 192.168.100.0 network? If I remove this line, what is happen?

Could I use following lines together

static (inside dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.255 0 0

static (inside dmz) 192.168.4.70 192.168.100.50 network 255.255.255.255 0 0

Thanks

ben

9 REPLIES

Re: NAT question

Ben,

No you have the wrong netmask. But if you change the netmask to 255.255.255.0 it would mean that you can access the 192.168.100.0/24 network from the dmz using the real addresses (if the dmz acl permits).

And yes you can use a static for the network together with a static for one ip, if you use different netmasks.

bma
New Member

Re: NAT question

Thanks

What is difference use real address and NAT address in the inside and dmz network? Does infect application access?

ben

Re: NAT question

There is no difference. Normally you do not have to translate addresses between the inside and dmz networks, but you can do it either way.

If you need to initiate connections from the DMZ to the inside you must use the static command for some addresses or the entire network (but you do not have to translate the addresses).

But if you only need the inside to access the dmz, you can instead use nat/global command. That will only allow outbound connections from the inside.

bma
New Member

Re: NAT question

Thanks

If use virtual server ip address(netscaler) in the dmz, real server ip address is with internal, do I need do static from dmz to internal?

Ben

Re: NAT question

Yes, you need static statements to permit access from any interface when you are going to the inside.

You also need an access-list to permit the traffic on the dmz interface.

bma
New Member

Re: NAT question

Thanks

I just try add one static line

static (inside,dmz) 192.168.4.150 192.168.0.250 netmask 255.255.255.255 0 0,

but it is fail, message is real-address conflict with existing static

inside: 192.168.0.0 to dmz: 192.168.0.0 netmask 255.255.255.0

Looks have to remove static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0 from pix.

What is risk to remove this line? Maybe some ip deny access?

Ben

Re: NAT question

Sorry, you need to use policy nat.

access-list HOST1 permit ip host 192.168.0.250 192.168.4.0 255.255.255.0

static (inside,dmz) 192.168.4.150 access-list HOST1

I am not sure if you have to remove the other static, try it without first.

If it does not work you have to remove it, but then people will loose connectivity, and add it again with policy-nat:

access-list NET1 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0

static (inside,dmz) 192.168.0.0 access-list NET1

Gold

Re: NAT question

If nat-control is enabled (assuming PIX/ASA OS 7.x and later), or if you're using PIX OS 6.x or earlier, you need to enable nat between any higher security level interface and any lower security level interface.

You can use any type of nat except identity nat if hosts on the lower security interface need to initiate connections back to the higher level security interface.

This means you can use any type of nat except the following:

nat (inside) 0 192.168.1.0 255.255.255.0

or

nat (inside) 0 192.168.1.1 255.255.255.255

...just for example.

nat exemption allows connections to be initiated both ways and looks like the following:

nat (inside) 0 access-list 101

Any nat involving the static command also allows connections to be initiated from either side.

bma
New Member

Re: NAT question

Thanks

ben

116
Views
10
Helpful
9
Replies