https://community.cisco.com/t5/network-security/nonat-between-dmz-and-inside/m-p/1309232#M858149 <HTML><HEAD></HEAD><BODY><P>Jeff</P><P></P><P>"But you still have to apply the nat exemption to an interface, does that mean that it doesn't matter which interface you apply it to? "</P><P></P><P>I'm assuming when you say this you mean either the inside or dmz interface because obviously if you applied it to a totally different interface it would not have the effect you wanted.</P><P></P><P>As for applying it to either the inside or dmz interface, to be honest i have ever only applied it on the higher security interface, in this case the inside interface.</P><P></P><P>Jon</P></BODY></HTML> Wed, 02 Sep 2009 20:32:36 GMT Jon Marshall 2009-09-02T20:32:36Z https://community.cisco.com/t5/network-security/nonat-between-dmz-and-inside/m-p/1309229#M858146 <P>Do I need two statements to disable nat between the inside and dmz networks, one for each interface? </P> Mon, 11 Mar 2019 16:11:55 GMT https://community.cisco.com/t5/network-security/nonat-between-dmz-and-inside/m-p/1309229#M858146 jcw009 2019-03-11T16:11:55Z https://community.cisco.com/t5/network-security/nonat-between-dmz-and-inside/m-p/1309230#M858147 <HTML><HEAD></HEAD><BODY><P>Jeff</P><P></P><P>No, nat exemption is bidirectional so you can either do </P><P></P><P>inside net = 192.168.5.0/24</P><P>dmz net = 172.16.5.0/24</P><P></P><P>1) static NAT translation</P><P></P><P>static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0 </P><P></P><P>this will allow internal hosts to access DMZ hosts and DMZ hosts to access internal hosts</P><P></P><P>OR </P><P></P><P>2) access-list NONAT permit ip 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0</P><P></P><P>nat (inside) 0 access-list NONAT</P><P></P><P>Technically speaking only 2 is actually not doing NAT but 1) would achieve the same result for you.</P><P></P><P>Jon</P></BODY></HTML> Wed, 02 Sep 2009 19:57:30 GMT https://community.cisco.com/t5/network-security/nonat-between-dmz-and-inside/m-p/1309230#M858147 Jon Marshall 2009-09-02T19:57:30Z https://community.cisco.com/t5/network-security/nonat-between-dmz-and-inside/m-p/1309231#M858148 <HTML><HEAD></HEAD><BODY><P>So, as long as there is the 'destination' (per the nonat acl) network somewhere on another interface, it doesn't matter which interface it's on for the nat exemption to work. Correct? Because once the traffic passes through the nat 'engine', then it just gets routed to the appropriate interface. </P><P></P><P>But you still have to apply the nat exemption to an interface, does that mean that it doesn't matter which interface you apply it to?</P><P></P><P>Maybe I'm overthinking this and missing something.</P></BODY></HTML> Wed, 02 Sep 2009 20:15:55 GMT https://community.cisco.com/t5/network-security/nonat-between-dmz-and-inside/m-p/1309231#M858148 jcw009 2009-09-02T20:15:55Z https://community.cisco.com/t5/network-security/nonat-between-dmz-and-inside/m-p/1309232#M858149 <HTML><HEAD></HEAD><BODY><P>Jeff</P><P></P><P>"But you still have to apply the nat exemption to an interface, does that mean that it doesn't matter which interface you apply it to? "</P><P></P><P>I'm assuming when you say this you mean either the inside or dmz interface because obviously if you applied it to a totally different interface it would not have the effect you wanted.</P><P></P><P>As for applying it to either the inside or dmz interface, to be honest i have ever only applied it on the higher security interface, in this case the inside interface.</P><P></P><P>Jon</P></BODY></HTML> Wed, 02 Sep 2009 20:32:36 GMT https://community.cisco.com/t5/network-security/nonat-between-dmz-and-inside/m-p/1309232#M858149 Jon Marshall 2009-09-02T20:32:36Z