NoNat between dmz and inside

jcw009 · ‎09-02-2009

Do I need two statements to disable nat between the inside and dmz networks, one for each interface?

Jon Marshall · ‎09-02-2009

Jeff

No, nat exemption is bidirectional so you can either do

inside net = 192.168.5.0/24

dmz net = 172.16.5.0/24

1) static NAT translation

static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

this will allow internal hosts to access DMZ hosts and DMZ hosts to access internal hosts

OR

2) access-list NONAT permit ip 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0

nat (inside) 0 access-list NONAT

Technically speaking only 2 is actually not doing NAT but 1) would achieve the same result for you.

Jon

jcw009 · ‎09-02-2009

So, as long as there is the 'destination' (per the nonat acl) network somewhere on another interface, it doesn't matter which interface it's on for the nat exemption to work. Correct? Because once the traffic passes through the nat 'engine', then it just gets routed to the appropriate interface.

But you still have to apply the nat exemption to an interface, does that mean that it doesn't matter which interface you apply it to?

Maybe I'm overthinking this and missing something.

Jon Marshall · ‎09-02-2009

Jeff

"But you still have to apply the nat exemption to an interface, does that mean that it doesn't matter which interface you apply it to? "

I'm assuming when you say this you mean either the inside or dmz interface because obviously if you applied it to a totally different interface it would not have the effect you wanted.

As for applying it to either the inside or dmz interface, to be honest i have ever only applied it on the higher security interface, in this case the inside interface.

Jon