06-07-2007 11:03 AM - edited 03-11-2019 03:26 AM
I hope this is enough information to answer these questions:
Say I have a a mail server on the inside interface(10.1.10.1) and it is required to relay to a server on the DMZ interface (192.168.1.1).
With the below config parameters is the following tru:
1. The inside Network is going to nat anything to from the inside network to the 192.168.1.254 address.
2. Everything inbound to the DMZ server from the Inside interface will look like it is coming from the 192.168.1.254 address.
3. All traffic originating from the DMZ server will send to the 192.168.1.254 address.
4. the access list DMZ is not needed in this case to allow traffic to host 10.1.10.1
global (DMZ) 1 192.168.1.254
nat (inside) 0 access-list NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list dmz permit tcp host 192.168.1.1 host 10.1.10.1
access-list dmz permit udp host 192.168.1.1 host 10.1.10.1
access-list NO_NAT permit ip host 10.1.10.1 host 192.168.1.1
access-list inside permit tcp host 10.1.10.1 host 192.168.1.1 eq smtp
06-07-2007 02:57 PM
I don't think in this whole thread you've really said what you want to accomplish when this is done.
06-07-2007 03:16 PM
I was just trying to understand what the different config lines are doing
I think the communication was working fine before which was:
Inside server 10.1.10.1 can access DMZ server 192.168.1.1.
And DMZ server can initiate communication to inside server.
It was working before the PIX guy put in the NAT exemption.
I was just trying to understand the logic of what each line is doing and why it was put there, thats all.
06-07-2007 03:24 PM
Ah ok, wasn't sure if it was working or not. You can remove the nat exemption as the static command is doing the same thing.
06-07-2007 03:48 PM
So, the NAT exemtion is doing nothing because the Static is taking precedence?
I appreciate the explanations
06-07-2007 04:09 PM
No, the static is doing nothing as the nat exemption is #1 in priority. But if you removed the nat exemption the static would take it's place. Sorry for the confusion.
1. nat 0 access-list (NAT exemption)
2. static (static NAT)
3. static {tcp | udp} (static PAT)
4. nat nat_id access-list (policy NAT)
5. nat (regular NAT)
06-07-2007 05:16 PM
Thanks,
And they are accomplishing the same thing correct?
So actually adding the exemption has no affect
06-07-2007 05:22 PM
Hey acomiskey,
I could use your help with a CSS scenario
06-07-2007 05:33 PM
Maybe tomorrow, I've had enough for one day..haha.
I think we are both in the same boat on the CSS, I will be attempting to convert to Zone based dns soon, so we can probably help each other. Thanks for all the ratings by the way, it's good to see someone acknowledging when you're getting helped.
06-07-2007 06:01 PM
You are very welcome, you deserve it
you don't know how much I appreciate your help and this forum.
I agree tomorrow
Thanks duder
09-21-2010 09:21 PM
I found an intersting blog post referring to this issue. Please follow the link http://blog.athenasecurity.net/2010/09/20/nat-confusion-and-config-debugging/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide