07-26-2006 09:09 PM - edited 02-21-2020 01:04 AM
I'm curious to see if anyone can help with my situation. I currently do not NAT on my inside interface:
NAT 0 0.0.0.0 0.0.0.0
I need to start doing policy NAT for some internal hosts going from inside private IPs to certain sites off of one of my DMZ interfaces. My problem is that this:
Global (DMZ4) 5 199.19.19.2
NAT (inside) 5 access-list DMZ-NAT
NAT (inside) 0 0.0.0.0 0.0.0.0
I need to only NAT inside traffic that matches the access list. If it doesn't match the access-list I don't want to NAT it all. When I try to test this out I see the inside traffic matching the inside access-list and being routed to the DMZ4 interface. However the traffic is never NAT'd. I never see the source IP getting translated to 199.19.19.2 Any suggestions???
07-26-2006 10:07 PM
Hi .. I suggest to use Policy NAT for nat 0 as well .. instead of nat exemption for the whole inside segment. ..
nat (inside) 0 access-list NO_NAT
access-list NO_NAT permit ... etc
I hope it helps ... please rate if it does !!!
07-30-2006 07:26 PM
My problem is I only need to NAT one IP on the inside interface when it goes to a specific server. I'll NAT it and dump it into my VPN tunnel. The problem is it's going to a Web server (port 80). The IP is the NAT address of my internal firewall. If the traffic doesn't match the ACL then it should go out to the Internet as is. How can I do policy NAT for nat 0 and tell it to NAT to one location, but don't NAT for the rest of the Internet???
08-14-2006 08:48 AM
If you are going to implement policy nat, pdm will not function properly. You will only be able to use the home and monitor tab. I am using PDM version 3.04.
08-14-2006 12:06 PM
This allow you to nat an address to a specific address going to a specific server on port 80.
access-list WEB permit tcp 10.1.2.0 255.255.255.0 65.x.x.1 255.255.255.255 eq 80
nat (inside) 1 access-list WEB
global (outside) 1 209.x.x.1 255.255.255.255
08-15-2006 06:01 AM
Hi!
I have the same topology.
In my case I use:
static (inside,DMZ_Client) 192.168.162.201 access-list inside_client
access-list inside_client extended permit ip host 10.10.1.1 10.250.0.0 255.255.192.0
Regards,
Adriano Porcaro
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide