06-19-2003 06:09 AM - edited 03-09-2019 03:44 AM
Why is it that even though I have Nat 0 implemented on a high security interface and a low interface (ex. inside and dmz), I still need to have static statments to allow traffic to flow from dmz to inside?
Solved! Go to Solution.
06-19-2003 08:56 AM
Hi
when nat (inside) 0
If you need to initiate the conection from lower (dmz) to higher(inside) , then you either need a static or modify your nat 0 sts using an access-list.
Like nat (inside) 0 access-list test
access-list test permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
When you use the nat 0 with acces-list then users from lower security zone , in the above case 192.168.1.0 can initiate a connection to the 10.1.1.0 subnet which is the inside(higher security zone).
Also, a little more explanantion at the url below for nat 0:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1032129
Hope the above helps.
Thanks
Nisha
06-19-2003 08:22 AM
NAT 0 served only for outbound traffic (High to low sec i/f). If you want your host(s) within the DMZ to start session to inside host(s), then you need to use static/access-list/access-group commands to do so.
Why is it like that? Because it's a firewall who must manage multiple needs, example want to permit inside users to access DMZ's servers but not those servers access inside networks, for seucrity reason.
Regards
Ben
06-19-2003 08:56 AM
Hi
when nat (inside) 0
If you need to initiate the conection from lower (dmz) to higher(inside) , then you either need a static or modify your nat 0 sts using an access-list.
Like nat (inside) 0 access-list test
access-list test permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
When you use the nat 0 with acces-list then users from lower security zone , in the above case 192.168.1.0 can initiate a connection to the 10.1.1.0 subnet which is the inside(higher security zone).
Also, a little more explanantion at the url below for nat 0:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1032129
Hope the above helps.
Thanks
Nisha
06-19-2003 09:18 AM
Hi,
As mentioned by the earlier post, "nat 0 acl" option will turn off NAT engine on the pix for the traffic deffined in acl, whether connection is initiated from inside to dmz or dmz to inside. In that case, you will not need static. But, "with nat 0 network", you only turn off net engine on pix for the network from inside to dmz. In that case, you need a static for dmz to inside traffic.
I hope its clear.
Regards,
Mynul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide