Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Different NAT and FW rules on multiple inside interfaces

I have a really simple config that I would like to add a DMZ to, if possible.

Currently, I have a 2821 between my local LAN and the Internet. Here's how it is connected:

Gi0/0 (10.254.1.1) goes to LAN Core (10.254.1.2)

Gi0/1 (a.b.c.d) goes out to Internet

Right now, I am doing PAT on the outside IP (a.b.c.d) for the Local LAN to get out to the Internet. I am also running the IOS Firewall with CBAC in a fairly restrictive configuration. The ACLs are applied as follows:

100 inbound on inside int Gi0/0

102 inbound on outside int Gi0/1

CBAC inspect outbound on outside int Gi0/1

What I would like to do now, is add a DMZ network with static NAT translations for the DMZ servers, and no CBAC, just standard ACLs for traffic filtering. I have another internal Interface I can use for this.

Can I do PAT between one int and outside and static NAT between another int and the same outside int?

Can I also apply different firewall rules between different inside interfaces and the outside int. Would it be as simple as applying the ip inspect rule inbound on Gi0/0 instead of outbound on Gi0/1?

Attached are the relevant parts of my config for reference.

2 REPLIES

Re: Different NAT and FW rules on multiple inside interfaces

Hi .. in regards to your questions ..

1.- Can I do PAT between one int and outside

and static NAT between another int and the same outside int?

Answer: if you want to use the same IP address of the outside interface for PAT and also for static NAT then that is not possible. You need spare IP address (es) for the static maps .. you can use the same public address (port redirection) if the services mapped are different for example smtp (25) and http (80) they can be statically mapped to the same public address but again this need to be different from any that you are already using for PAT.

2.- Can I also apply different firewall rules between different inside interfaces and the outside int..

Answer: Yes you can as every interface can support ip inpect rules in both direction and they can be different on every interface.

I hope it helps .. please rate it if it does !!!

New Member

Re: Different NAT and FW rules on multiple inside interfaces

Thanks for the reply,

I actually figured out the NAT problem by playing around over the weekend. I have a /28 block, so lots of addresses (well, not lots, but enough for me) to play with. I now have PAT and static NATted devices going out the same interface and traffic is flowing nicely.

As for the firewall rules, that is my project for today. Thanks for the help!

203
Views
4
Helpful
2
Replies