Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nat rules on firewall

Experts, please assist to understand the below statements from a firewall.

+++++++++++++++++++++++++++++++++++

sh running-config nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

sh running-config global

global (dmz) 2 Test_PC-10.11.2.3

global (outside) 1 interface

access-list inside_nat0_outbound line 34 extended permit ip Site2_Net 255.255.0.0 host WebServer_Test

_________________________________

I understand that nat(inside) is used to sort of pat anything from inside network to the public ip on external interface.

Correct me if wrong.

But i am loggerheads to understand the statement with nat0 as well as the acl that refers it.

Please suggest.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Nat rules on firewall

Q1: If the server was a return path back to the untranslated ip address then it won't harm.

Q2: It applies to all traffic that hit the inside interface and matches the ACL.

PK

3 REPLIES
Cisco Employee

Re: Nat rules on firewall

nat0 means that this traffic will not be translated and will go out without changing the ip address.

In your case whatever packet hit the inside interface and matches the ACL inside_nat0_outbound will go out untranslated.

I hope it helps.

PK

New Member

Re: Nat rules on firewall

Thanks!with this understanding,the WebServer_Test sits on an isolated dmz zone. Now if another user segment from the inside segment tries to access this server, shouldnt it also be included in the untranslated list or maybe it will get translated with the public ip while on the way to reach server.

Another query, is will this untranslated statement apply to all interfaces & how is it processed in order, as the local ip may already get translated with the public ip before reaching the server.

Appreciate your help!

Cisco Employee

Re: Nat rules on firewall

Q1: If the server was a return path back to the untranslated ip address then it won't harm.

Q2: It applies to all traffic that hit the inside interface and matches the ACL.

PK

274
Views
4
Helpful
3
Replies