https://community.cisco.com/t5/network-security/pix-pating-or-not-depending-on-outside-interface-used/m-p/375250#M562435 <P>I'm still digging into this, but have a need to not NAT any traffic starting on the inside to 2 of my lower-security interfaces (dmz1 &amp; dmz2), but have that same traffic PATed to the interface address if it goes out outside interface.</P><P></P><P>I'm using nat (inside) 0 0.0.0.0 0.0.0.0 for the non-nating of traffic that goes from inside to dmz1 &amp; dmz2. So, this keeps me from putting in another nat statement [like nat (inside) 1 0.0.0.0 0.0.0.0)] as that causes an error message saying the nat statements overlap. Makes a certain amount of sense.</P><P></P><P></P><P>It looks like a "static (inside,outside) interface 10.1.1.0 netmask 255.255.255.0" would be the perfect solution. But I get a "Invalid netmask with interface option" error message when I try to input that. So, that must not be able to do groups of addresses. It also only lets me do a single static to the interface address, so that is not going to fly even if I was willing to type in every host individually.</P><P></P><P>I was hoping that static command would let me overload all the inside addresses to the outside interface address when data is going out the "outside" interface, while the "nat (inside) 0" lets me non NAT anything going to dmz1 &amp; dmz2, but no dice. </P><P></P><P>Any thoughts on what I'm missing here? There has got a be a way to do this.</P><P></P><P>Thanks!</P><P></P><P> </P> Fri, 21 Feb 2020 07:38:34 GMT sheidelbach 2020-02-21T07:38:34Z https://community.cisco.com/t5/network-security/pix-pating-or-not-depending-on-outside-interface-used/m-p/375250#M562435 <P>I'm still digging into this, but have a need to not NAT any traffic starting on the inside to 2 of my lower-security interfaces (dmz1 &amp; dmz2), but have that same traffic PATed to the interface address if it goes out outside interface.</P><P></P><P>I'm using nat (inside) 0 0.0.0.0 0.0.0.0 for the non-nating of traffic that goes from inside to dmz1 &amp; dmz2. So, this keeps me from putting in another nat statement [like nat (inside) 1 0.0.0.0 0.0.0.0)] as that causes an error message saying the nat statements overlap. Makes a certain amount of sense.</P><P></P><P></P><P>It looks like a "static (inside,outside) interface 10.1.1.0 netmask 255.255.255.0" would be the perfect solution. But I get a "Invalid netmask with interface option" error message when I try to input that. So, that must not be able to do groups of addresses. It also only lets me do a single static to the interface address, so that is not going to fly even if I was willing to type in every host individually.</P><P></P><P>I was hoping that static command would let me overload all the inside addresses to the outside interface address when data is going out the "outside" interface, while the "nat (inside) 0" lets me non NAT anything going to dmz1 &amp; dmz2, but no dice. </P><P></P><P>Any thoughts on what I'm missing here? There has got a be a way to do this.</P><P></P><P>Thanks!</P><P></P><P> </P> Fri, 21 Feb 2020 07:38:34 GMT https://community.cisco.com/t5/network-security/pix-pating-or-not-depending-on-outside-interface-used/m-p/375250#M562435 sheidelbach 2020-02-21T07:38:34Z https://community.cisco.com/t5/network-security/pix-pating-or-not-depending-on-outside-interface-used/m-p/375251#M562458 <HTML><HEAD></HEAD><BODY><P>Have you tried this?</P><P></P><P>Let's say you have:</P><P>192.168.0.0/24 on inside</P><P>192.168.1.0/24 on DMZ1</P><P>192.168.2.0/24 on DMZ2</P><P></P><P>access-list NoNATinside permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>access-list NoNATinside permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0</P><P></P><P>nat (inside) 0 access-list NoNATinside</P><P>nat (inside) 1 192.168.0.0 255.255.255.0</P><P>global (outside) 1 interface</P><P></P></BODY></HTML> Tue, 21 Sep 2004 17:31:37 GMT https://community.cisco.com/t5/network-security/pix-pating-or-not-depending-on-outside-interface-used/m-p/375251#M562458 jzsides 2004-09-21T17:31:37Z https://community.cisco.com/t5/network-security/pix-pating-or-not-depending-on-outside-interface-used/m-p/375252#M562476 <HTML><HEAD></HEAD><BODY><P>Way cool! Did not notice an ACL as being an option for NAT commands.</P><P></P><P>Waaaaay cool!</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 21 Sep 2004 18:59:05 GMT https://community.cisco.com/t5/network-security/pix-pating-or-not-depending-on-outside-interface-used/m-p/375252#M562476 sheidelbach 2004-09-21T18:59:05Z