11-25-2002 03:00 AM - edited 02-20-2020 10:23 PM
Hello,
I have a customer with following conditions:
Internet..
DMZ with 172.18.x.x
LAN with 10.x.x.x
There is a Proxy in the DMZ 172.x.x.x. The proxy see's all client with the DMZ Interface Address. The guys who config the pix says it comes from NAT and they can not handle this.
So my question: can they use a kind of "NAT outside" instead of "NAT inside".
so that network 10.x and 172.x are not nated but everything by outside...
Thanks Robert
11-25-2002 06:46 AM
You can use a static command to create a 1-1 static address mapping with the inside address the same as the address on the DMZ. You are probably using a global command and a nat statement. You can use the static command and map 10.xx.xx.xx to 10.xx.xx.xx from inside to dmz instead.
static ( inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
you will need to remove or change the nat statement.
Here is docs on the static statement.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm#xtocid76
11-25-2002 06:54 AM
What you can do is disable the nat translation from the inside to the dmz. The the proxy server will see the real addresses of the inside clients
access-list no_nat permit ip 10.x.x.x 255..0.0.0 172.18.x.x 255.255.0.0
nat (inside) 0 access-list no_nat
Kind Regards,
Tom
11-25-2002 07:04 AM
This cisco document describes how to disable nating between two networks using an access-list that specifies the traffic that should not be natted:
http://www.cisco.com/warp/public/110/19.html#fourth
Kind Regards,
Tom
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: