Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT to Inside interface...Sounds untraditional! But required...

I have:

DMZ:security level 50

Inside:security level 50

I use nat-control for communication.

How to enable NAT from Dmz to Inside?

Thanks

12 REPLIES
New Member

Re: NAT to Inside interface...Sounds untraditional! But required

Sorry mistake.

Inside:security level 100

Bronze

Re: NAT to Inside interface...Sounds untraditional! But required

Hello,

Normal statics should work.

If you want to actually use the 'nat' command, you have to ause the keyword 'outside' on the end of the nat command (when going from lower to higher security level interfaces)

Example:

nat (dmz) 1 192.168.1.0 255.255.255.0 outside

global (inside) 1 interface

--Jason

Please rate this message if it helped solve some or all of your question/issue.

New Member

Re: NAT to Inside interface...Sounds untraditional! But required

Hi again,

Should i put ACL also in interface of protected network(inside)?

Green

Re: NAT to Inside interface...Sounds untraditional! But required

What are you looking to accomplish? To go from inside to dmz you will not need an acl. To go from dmz to inside, yes you will need an acl, but it would be into dmz interface.

New Member

Re: NAT to Inside interface...Sounds untraditional! But required

Hi again,

I want to get from dmz to inside.

That is my question..Why i should put an ACL on in interface of dmz. By logic acl should be in interface of inside interface. As i am going to inside...

Correct me please, if i am wrong

thanks

Leo

Green

Re: NAT to Inside interface...Sounds untraditional! But required

Leo,

I understand what you are saying but you have to become familiar with how acl's are applied. When going from a lower security interface (dmz) to a higher security interface (inside) you need to have an acl. Therefore going from dmz to inside the traffic is checked against an acl "into the dmz port" as this is where the traffic needs to go to get to the inside. I suppose you could also write an acl "out of inside" interface but not usually how it's done. I don't know another way to explain it.

New Member

Re: NAT to Inside interface...Sounds untraditional! But required

Hi,

Thanks for your reply.

As i know for restriction incoming traffic you should use inbound acl.For outgoing acl you should use outbound acl.

For example, i have an acl enabled on in interface of outside interface.(Because of to get web recources available for public usage)

I don't need any acl when i access from dmz and inside to outside.

I thought when i getting from dmz(lower) to inside (high) interface, i need to put permit acl in interface of inside.

Maybe you are right that i also need to put permit acl on out interface of dmz. But i can't understand why i need to put permit acl in interface of dmz?

Thanks

Leo

Green

Re: NAT to Inside interface...Sounds untraditional! But required

Leo,

Please read again what I wrote. I never said to put acl on out interface of dmz. I said if you want the dmz to access the inside you need an acl in interface dmz. Just as if you need outside to access inside you need an acl in interface outside.

New Member

Re: NAT to Inside interface...Sounds untraditional! But required

Hi,

Thank you.

I understood.

regards

Leo

New Member

Re: NAT to Inside interface...Sounds untraditional! But required

Hi,

Sorry for disturbing.

As you told i have put ACL in in interface of DMZ(security level 50) interface. So i have restriction from dmz to inside(security level 100). It is ok for me. But this ACl also made the restriction from dmz to outside..This is not good for me. Because for example if i need the DMZ servers to go to outside by tcp 25,i need to add permit statement in ACL for tcp 25. But it will also allow DMZ servers to initiate connection by tcp 25 to inside interface, which is not required at all...

I managed to solve it after adding some deny statements in ACl. But i am interested is there any alternate and best solution?

So i will be able to make different restrictions for outside and inside from DMZ.

thanks

Green

Re: NAT to Inside interface...Sounds untraditional! But required

It is all how you write your access-list.

1. Permit what you want inside

2. Deny everything else inside

3. Permit what you want outside

4. Explicit Deny

You can still make different restrictions to outside and to inside.

New Member

Re: NAT to Inside interface...Sounds untraditional! But required

Hi,

There is a feature called NAT. I used to make it working on our firewalls, but it depends on the software version used. Please search for outside NAT (actually it is the outside word that make it different from the ordinary NAT). And, you should take care when writing ACL on the DMZ interface..i cannot rememeber exactly, but there was somthing specific.

182
Views
4
Helpful
12
Replies
CreatePlease to create content