10-17-2011 07:22 AM - edited 03-11-2019 02:38 PM
Hi:
I have a question about using static NAT.
I want to allow hosts on the inside interface to be able to access hosts in the dmz using their real dmz IP addresses.
inside: 10.0.0.1/21
security level 100
dmz: 172.31.0.1/21
security level 25
The following command worked:
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.248.-
However, why didn't this command work?
static (dmz,inside) 172.31.0.0 172.31.0.0 netmask 255.255.248.0
Just curious.
Thanks,
Tony
10-17-2011 08:19 AM
Hi Tony,
Going from Higher security interface to lower security interface, you essentially need a source nat, therefore first one is needed, if you do not have nat-control enabled, then you woudl just need the first statements and not second.
Thanks,
Varun
10-17-2011 08:39 AM
Thank you, Varun.
I thought it probably had something to do with the security level.
Thanks,
Tony
10-17-2011 09:50 AM
No issues, let me know if you have any other concerns.
Varun
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: