I've done a bit of reading on the topic of NAT on the PIX/ASA but still have a few questions that I'm looking for clarification on.
Based on the diagram attached, I'm thinking there are 3 ways to get this working with NAT. There is no need on the PIX/ASA in the diagram to allow the users to access the Internet. The Internet here is used only as a method to establish a LAN-to-LAN IPSec tunnel.
Method 1: no nat-control command. This should exempt ALL traffic from NAT, right?
- Do I also need "global" statements like these in order for the "nat" commands to work properly or is that just needed if I was sending traffic to the Internet so the clients could browse websites?
global (Outside) 0 interface global (DMZ) 0 interface global (Inside) 0 interface
- For traffic going from an interface with higher security level to a lower one, traffic should be allowed I believe.
- If going from a lower security level to a higher one, I know I need an ACL to permit the traffic.
- Do I also need a static NAT translation?
- Would the "nat (DMZ) 0 10.132.65.0 255.255.255.0" command work to exempt NAT on traffic from the lower security level interface to a higher one or would only the static NAT translation be looked at for this?
- If both "static" and "nat" commands, are the "static" commands looked at first before the "nat" commands?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :