Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

nat-control

Hi all,

I had 3 security zone, outside , dmz and inside.

I did static nat for dmz server ip nat to inside ip (from low security to high security.

static (DMZ,Inside) 10.1.1.25 202.187.108.25 netmask 255.255.255.255

static (DMZ,Inside) 10.1.1.26 202.187.108.26 netmask 255.255.255.255

From inside user PC (10.1.1.100) to access to the DMZ server, basically we connect to ip 10.1.1.25 or 26.

But it seem like not work if the nat-control is enable. Why ?

Regards

3 REPLIES
Cisco Employee

Re: nat-control

with no nat-control in place, pix is acting as a router firewall, not needing any nat rule. hence you see it working.

see what error message you are getting in your log.

i think you also need nat from inside to dmz interface

e.g.

nat (inside) 1 0 0

global (dmz) interface

or

static (inside,dmz) insideip insideip

New Member

Re: nat-control

Thanks problem solved.

Curious about this problem, when STATIC from high security to low security we do not need to NAT it. Why low security to high security we need it ? make no sense.

Many Thanks

Cisco Employee

Re: nat-control

with nat control on, you have to have nat or static

from higer to lower. lower to higher nat is not a requirement by design unless you want to specifically do nat

122
Views
0
Helpful
3
Replies
CreatePlease login to create content