Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
7
Replies

outside nat and dmz

mjia
Level 1
Level 1

‎06-30-2003 02:29 PM - edited ‎03-09-2019 03:52 AM

Hi,

Does outside nat only support outside->inside/dmz translations?

Does it support dmz->inside traffic if I specify "nat (dmz) ..... outside"?

Basically, is PIX allow dmz->inside traffice(low security -> high security)

initiated using "nat" and "global" commands?

Thanks

Michael

Labels:
0 Helpful
7 Replies 7

gfullage
Cisco Employee
Cisco Employee

‎06-30-2003 04:44 PM

Outside NAT also works with DMZ -> Inside traffic.

0 Helpful

l.mourits
Level 5
Level 5

‎07-01-2003 12:26 AM

Michael,

To enable traffic initiated from a low level security to travel to a high security interface you will normally use static commands, so, for example, if you want a server on the inside with IP address 10.1.1.1 to be reachable from the dmz interface on the same address you would have to add the command:

static (inside,dmz) 10.1.1.1 10.1.1.1

and of course the appropiate access-list bound to the dmz inteface, for example:

access-list dmz-in permit ip any host 10.1.1.1

access-group dmz-in in interface dmz

nat and global statements are normally only needed to enable traffic initiated from the higher level interface. So, if you want people on the inside to connect to servers on the dmz, without translation you would have to add something like:

nat (dmz) 0 10.1.1.0 255.255.255.0

Hope this helps

Leo

0 Helpful

mjia
Level 1
Level 1
In response to l.mourits

‎07-03-2003 02:39 PM

does "outside" key word need to be added at the end.

should "access-list" nat 0 be used instead of "ip mask" nat 0?

Thanks

Michael

0 Helpful

mhoda
Level 5
Level 5
In response to mjia

‎07-03-2003 03:35 PM

Hi Michael,

Yes, "outside" key word is needed from lower to higher security nat/global (i.e., from outside to inside, dmz to inside etc).

Regarding second question, It depends on your requirement. Pl. keep in mind that nat 0 will come before static and nat. When you use, "nat 0 network", this will work one direction that is from higher to lower, but with ACL option it works on both direction so you don't need a static, it will just by-pass the whole nat engine on both direction traffic.

I hope its clear.

Regards,

Mynul

0 Helpful

michel.mueller
Level 1
Level 1
In response to mhoda

‎07-04-2003 01:05 PM

Hi Mynul,

Even with nat 0 and incoming access list on dmz interface, you still need statics.

static (inside, dmz) mask

Otherwise connections from DMZ to inside is only possible if the server on the inside interface had sent packets to DMZ, so a dynamic translation is built.

"show xlate" shows the static and dynamic translations

regards Michel

0 Helpful

johncheung
Level 1
Level 1
In response to mhoda

‎07-14-2003 08:57 AM

Q1) Can someone please confirm the order of nat/static command processing....Is it nat 0 acl, nat 0, static, nat ? where nat 0 acl is the first command processed and nat is the last command processed.....

Q2) Does the nat/static command processing order change depending on whether traffic originated from a less secure interface to a more secure interface?

Q3) Can I have a sample config of outside NAT? I cant get it to work!!!!

Config book example is not complete enough.....

Thanks

john

0 Helpful

johncheung
Level 1
Level 1
In response to johncheung

‎07-14-2003 11:02 AM

Sorry about Q2....i am talking about outside NAT here.....so my question is does outside NAT behave the same way as inside NAT....

Thanks john

0 Helpful
Customers Also Viewed These Support Documents