So lets say we have the following configuration:
ip address 192.168.1.1 255.255.255.0
ip address 172.16.1.1 255.255.255.0
access-group 100 in interface inside
access-group 99 in interface dmz
access-list 100 permit ip any any
access-list 99 permit ip any any
So lets say we want to allow communication from the inside segment to the DMZ segment using private addresses.
There are a couple of ways we can achieve this
1.) NAT Exemption via NAT 0
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list nonat
2.) Identity NAT via static statements
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Both scenarios allow communication from the inside segment to the dmz segment while preserving the 192.168.1.X/24 source addresses using 172.16.1.X/24 addresses as the destination.
With scenario 1, I must first initiate traffic from the inside segment (192.168.1.X address) to the DMZ segment (172.16.1.X) before hosts on the dmz segment can initiate traffic to the inside segment.
With scenario 2, I can initiate traffic from either segment regardless of who first initiated a connection.
Now, I know that the identity NAT via the static statement adds an entry in the xlate table which is why either segment can initiate traffic at any time.
My question is, what mechanism controls the communication process when using NAT exemption? That is, what prevents me from initiating traffic FROM the dmz to the inside segment until I've first initiated traffic from the inside to the dmz?
Just a thought, but I imagine the connection is bidirectional once you initiate from inside -> dmz, though only for the hosts involved in that communication. Once the connection times out then I can't see it working from dmz -> inside anymore.
To make it consistently work in both directions we apply nat exemption to both the inside and dmz interfaces, yes? nat (inside) 0 and nat (dmz) 0, with the access-list source/destination swapped.
Sent from my iPhone
Hello Patrick, Hope you are doing fine
Actually this two types of nat are Bidirectional, so you can start traffic from both zones if there is an ACL permiting the traffic just like the case you explained before and one of this nat statements
As you told the difference between those two is that one (Static) generates an entry on the xlate and the other one not because it never gets translated.