Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
5
Helpful
1
Replies

NAT question

Brent Rockburn
Level 2
Level 2

‎08-09-2010 01:08 PM - edited ‎03-04-2019 09:22 AM

global (GT/Bell) 1 interface
global (Allstream/SunGard) 1 interface

nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,dmz) 10.69.0.0 10.69.0.0 netmask 255.255.0.0

access-list inside_nat0_outbound; 2 elements
access-list inside_nat0_outbound line 1 extended permit ip any 10.xx.x.x 255.255.0.0
access-list inside_nat0_outbound line 2 extended permit ip any 10xx.xx.x 255.255.240.0

My question is ...

If I want my DMZ to NOT NAT when going to my internal network of 10.xx.xx.xx 255.255.240.0

What do I need? What is above is what exists..

I have a bunch of ideas in my head about what I need but at the same time what I've tried isn't working so I need some advice.

Thanks,

BR

Labels:
0 Helpful
1 Reply 1

Collin Clark
VIP Alumni
VIP Alumni

‎08-09-2010 01:48 PM

Technically speaking you are NATing, but the firewall is NATing with the real IP's.

static (inside,dmz) 10.69.0.0 10.69.0.0 netmask 255.255.0.0

There's nothing wrong with doing this. If you really want to prevent NAT, create another ACL and prevent NAT on the interface, just like the one applied to the inside.

nat (dmz) 0 access-list no_nat
access-list no_nat extended permit ip [dmz subnet & mask] [internal subnet & mask]

Hope it helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card