Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
490
Views
4
Helpful
3
Replies

Nat rules on firewall

Go to solution
suthomas1
Level 6
Level 6

‎11-10-2009 06:35 AM - edited ‎03-09-2019 10:42 PM

Experts, please assist to understand the below statements from a firewall.

+++++++++++++++++++++++++++++++++++

sh running-config nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

sh running-config global

global (dmz) 2 Test_PC-10.11.2.3

global (outside) 1 interface

access-list inside_nat0_outbound line 34 extended permit ip Site2_Net 255.255.0.0 host WebServer_Test

_________________________________

I understand that nat(inside) is used to sort of pat anything from inside network to the public ip on external interface.

Correct me if wrong.

But i am loggerheads to understand the statement with nat0 as well as the acl that refers it.

Please suggest.

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to suthomas1

‎11-10-2009 12:10 PM

Q1: If the server was a return path back to the untranslated ip address then it won't harm.

Q2: It applies to all traffic that hit the inside interface and matches the ACL.

PK

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-10-2009 06:53 AM

nat0 means that this traffic will not be translated and will go out without changing the ip address.

In your case whatever packet hit the inside interface and matches the ACL inside_nat0_outbound will go out untranslated.

I hope it helps.

PK

Go to solution
suthomas1
Level 6
Level 6
In response to Panos Kampanakis

‎11-10-2009 07:20 AM

Thanks!with this understanding,the WebServer_Test sits on an isolated dmz zone. Now if another user segment from the inside segment tries to access this server, shouldnt it also be included in the untranslated list or maybe it will get translated with the public ip while on the way to reach server.

Another query, is will this untranslated statement apply to all interfaces & how is it processed in order, as the local ip may already get translated with the public ip before reaching the server.

Appreciate your help!

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to suthomas1

‎11-10-2009 12:10 PM

Q1: If the server was a return path back to the untranslated ip address then it won't harm.

Q2: It applies to all traffic that hit the inside interface and matches the ACL.

PK

0 Helpful
Customers Also Viewed These Support Documents