cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6021
Views
0
Helpful
3
Replies

NAT exemption (NAT 0) vs Identity NAT

Patrick0711
Level 3
Level 3

So lets say we have the following configuration:

=============================================

Interface Gigabitethernet0/1

nameif inside

security-level 100

speed 1000

duplex full

ip address 192.168.1.1 255.255.255.0

Interface Gigabitethernet0/2

nameif dmz

security-level 50

speed 1000

duplex full

ip address 172.16.1.1 255.255.255.0

nat-control

access-group 100 in interface inside

access-group 99 in interface dmz

access-list 100 permit ip any any

access-list 99 permit ip any any

=============================================

So lets say we want to allow communication from the inside segment to the DMZ segment using private addresses.

There are a couple of ways we can achieve this

1.)  NAT Exemption via NAT 0

access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 

nat (inside) 0 access-list nonat

2.)  Identity NAT via static statements

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Both scenarios allow communication from the inside segment to the dmz segment while preserving the 192.168.1.X/24 source addresses using 172.16.1.X/24 addresses as the destination. 

With scenario 1, I must first initiate traffic from the inside segment (192.168.1.X address) to the DMZ segment (172.16.1.X) before hosts on the dmz segment can initiate traffic to the inside segment. 

With scenario 2, I can initiate traffic from either segment regardless of who first initiated a connection.

Now, I know that the identity NAT via the static statement adds an entry in the xlate table which is why either segment can initiate traffic at any time.

My question is, what mechanism controls the communication process when using NAT exemption?  That is, what prevents me from initiating traffic FROM the dmz to the inside segment until I've first initiated traffic from the inside to the dmz?

3 Replies 3

busterswt
Level 1
Level 1

Just a thought, but I imagine the connection is bidirectional once you initiate from inside -> dmz, though only for the hosts involved in that communication. Once the connection times out then I can't see it working from dmz -> inside anymore.

To make it consistently work in both directions we apply nat exemption to both the inside and dmz interfaces, yes? nat (inside) 0 and nat (dmz) 0, with the access-list source/destination swapped.

Just theories!

James Denton

Sent from my iPhone

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Patrick, Hope you are doing fine

Actually this two types of nat are Bidirectional, so you can start traffic from both zones  if there is an ACL permiting the traffic just like the case you explained before and one of this nat statements

As you told the difference between those two is that one (Static)  generates an entry on the xlate and the other one not because it never gets translated.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Patrick0711
Level 3
Level 3

Thanks to both of you for the quick responses. 

I will perform some additional testing tomorrow tomorrow and report back. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: