Doubt about nat0

sivakumar.ks · ‎07-15-2008

Hi,

I am having doubt about nat0. Following is my nat controller list

nat-control

global (outside) 10 interface

global (dmz-MHR) 10 interface

global (dmz-vendor) 10 interface

global (dmz-vendor) 5 MHR-redhat-PUB

nat (inside) 0 access-list inside_nat0_acl

nat (inside) 5 access-list redhat_nat

nat (inside) 10 0.0.0.0 0.0.0.0

nat (dmz-MHR) 0 access-list NoNatAll

nat (dmz-remote) 0 access-list NoNatAll

nat (dmz-vpn-internal) 0 access-list dmz-vpn-internal_nat0_outbound

nat (vendor2-Network) 0 access-list NoNatAll

nat0 is working well for defined list. But I am having doubt whether I need to create nat0 in the outside interface so that specific traffic coming from outside to inside or from inside to outside will be natted.

Please clarify this basic doubt.

Cheers,

siva

dhananjoy chowdhury · ‎07-15-2008

Hi,

It depends on your setup, if the outside interface is having Public IP then nat0 is not required for traffic from inside to outside.

Because the inside IP subnet is not routable at the outside, so NAT is required.

Now if we have a scenario, wherein the Inside IP subnet is routable in the outside zone then you can go for nat0.

sivakumar.ks · ‎07-16-2008

Yes, I understand that. But for example my inside interface network subnet is 10.3.0.0/16 and there is a secondary data which has a firewall and all VPN's are terminated to that firewall and my inside network is communicating via outside interface to that firewall , so in that firewall I am receiving the outside interface IP address only i.e Public IP address. But I want to view the individual inside IP addresses in that log.

How can I achieve that?

I had a trail run NAT as shown below and it was working. Following is the trail run

Static (inside,outside) 10.3.142.62 10.3.142.62 netmask 255.255.255.255

But I have one to one nat currently communicating from inside to outside example

Static (inside,outside) 10.3.6.62 192.200.254.200 netmask 255.255.255.255

I want to achieve the following nat and I have a doubt whether it will affect existing one to one nat .(Static (inside,outside) 10.3.142.62 192.200.254.200 netmask 255.255.255.255), or do I need to create nat0 in the outside interface to achieve this.

Nat which I want to achieve is , which will allow inside traffic as it is to outside(without nat).

Static (inside,outside) 10.3.0.0 10.3.0.0 netmask 255.255.255.255

Please help me.

Siva

dhananjoy chowdhury · ‎07-16-2008

Hi,

The best way to do is configure a Access-list.

Suppose 10.3.0.0/24 is the inside network and there is a network 20.3.0.0/24, then create access list first and then do a nat0.

this is same as somewhat you already have in your config.

access-list nonat_allow_acl permit ip 10.3.0.0 255.255.255.0 20.3.0.0 255.255.255.0

then do nat0

nat (inside) 0 access-list nonat_allow_acl

The only difference is it won't particular traffic as mentioned in the ACL.

But if you give the static statement as below as it will do nonat for all traffic from inside to outside

Static (inside,outside) 10.3.0.0 10.3.0.0 netmask 255.255.255.255

Hope this helps