Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Excluding Subnet From Static NAT?

Anyone know of a way to exclude a range of IP addresses from Static NAT?

The inside interface has the majority of 10.0.0.0 /8 networks. The DMZ interface, unfortunately, has a /24 out of the 10.0.0.0/8 network, say 10.0.28.0 /24. How do I exclude this network from the static statement:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

The way I have it right now is that I had to break everything down and list the subnets individually like:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.240.0

static (inside,outside) 10.0.16.0 10.0.16.0 netmask 255.255.248.0

static (inside,outside) 10.0.24.0 10.0.24.0 netmask 255.255.254.0

static (inside,outside) 10.0.26.0 10.0.26.0 netmask 255.255.255.0

static (inside,outside) 10.0.29.0 10.0.29.0 netmask 255.255.255.0

static (inside,outside) 10.0.30.0 10.0.30.0 netmask 255.255.254.0

static (inside,outside) 10.0.32.0 10.0.32.0 netmask 255.255.224.0

static (inside,outside) 10.0.64.0 10.0.64.0 netmask 255.255.192.0

static (inside,outside) 10.0.128.0 10.0.128.0 netmask 255.255.128.0

static (inside,outside) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

static (inside,outside) 10.2.0.0 10.2.0.0 netmask 255.254.0.0

Etc, etc, all the way to 10.255.0.0

Thanks,

Steve

2 REPLIES
New Member

Re: Excluding Subnet From Static NAT?

Use a

nat (inside) 0

the acl will have a deny in for that network before the accepts.

Or.. upgrade to version 7 where you can use the nat-control feature.

Gold

Re: Excluding Subnet From Static NAT?

you mentioned "The DMZ interface, unfortunately, has a /24 out of the 10.0.0.0/8 network".

the static command works with the two interfaces as stated.

e.g. the one you posted.

static (inside,outside) 10.2.0.0 10.2.0.0 netmask 255.254.0.0

this works between the inside and outside, and nothing to do with the dmz.

226
Views
0
Helpful
2
Replies
CreatePlease to create content