Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Mixed NAT and PAT

I currently have

nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0

global (outside) 1 192.168.10.1 netmask 255.255.255.224

I like to add

nat (DMZ) 1 192.168.1.3 255.255.255.255 0 0

Do I need to remove

nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0

and use access-list to deny specific networks behind DMZ but allow 192.168.1.3?

2 REPLIES
Silver

Re: Mixed NAT and PAT

Hello,

Please see inline -

> Do I need to remove

> nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0

No, you don't have to because NAT with an ID (in your case) will take precedence over NAT with ID being ZERO. So, if you have the above stamt along with the new one, the one you will be adding will be translated to the global IP and rest will go untranslated.

Regarding whether you need to use ACL, that depends on your security policy. If you want to allow only a specific host then you can create the ACL and apply on the DMZ interface, but this is not required.

Thanks,

Mynul

New Member

Re: Mixed NAT and PAT

Thanks for your help. I wasn't sure the tag 0 has precedence over tag 1. If so, any won't be translated, so

nat (DMZ) 1 192.168.5.1 255.255.255.255 0 0

will have no effect. I can't find any docs that say 0 will be executed before 1.

107
Views
5
Helpful
2
Replies