07-15-2008 10:16 PM - edited 03-11-2019 06:14 AM
Hi,
I am having doubt about nat0. Following is my nat controller list
nat-control
global (outside) 10 interface
global (dmz-MHR) 10 interface
global (dmz-vendor) 10 interface
global (dmz-vendor) 5 MHR-redhat-PUB
nat (inside) 0 access-list inside_nat0_acl
nat (inside) 5 access-list redhat_nat
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz-MHR) 0 access-list NoNatAll
nat (dmz-remote) 0 access-list NoNatAll
nat (dmz-vpn-internal) 0 access-list dmz-vpn-internal_nat0_outbound
nat (vendor2-Network) 0 access-list NoNatAll
nat0 is working well for defined list. But I am having doubt whether I need to create nat0 in the outside interface so that specific traffic coming from outside to inside or from inside to outside will be natted.
Please clarify this basic doubt.
Cheers,
siva
07-15-2008 10:30 PM
Hi,
It depends on your setup, if the outside interface is having Public IP then nat0 is not required for traffic from inside to outside.
Because the inside IP subnet is not routable at the outside, so NAT is required.
Now if we have a scenario, wherein the Inside IP subnet is routable in the outside zone then you can go for nat0.
07-16-2008 01:40 AM
Yes, I understand that. But for example my inside interface network subnet is 10.3.0.0/16 and there is a secondary data which has a firewall and all VPN's are terminated to that firewall and my inside network is communicating via outside interface to that firewall , so in that firewall I am receiving the outside interface IP address only i.e Public IP address. But I want to view the individual inside IP addresses in that log.
How can I achieve that?
I had a trail run NAT as shown below and it was working. Following is the trail run
Static (inside,outside) 10.3.142.62 10.3.142.62 netmask 255.255.255.255
But I have one to one nat currently communicating from inside to outside example
Static (inside,outside) 10.3.6.62 192.200.254.200 netmask 255.255.255.255
I want to achieve the following nat and I have a doubt whether it will affect existing one to one nat .(Static (inside,outside) 10.3.142.62 192.200.254.200 netmask 255.255.255.255), or do I need to create nat0 in the outside interface to achieve this.
Nat which I want to achieve is , which will allow inside traffic as it is to outside(without nat).
Static (inside,outside) 10.3.0.0 10.3.0.0 netmask 255.255.255.255
Please help me.
Siva
07-16-2008 02:44 AM
Hi,
The best way to do is configure a Access-list.
Suppose 10.3.0.0/24 is the inside network and there is a network 20.3.0.0/24, then create access list first and then do a nat0.
this is same as somewhat you already have in your config.
access-list nonat_allow_acl permit ip 10.3.0.0 255.255.255.0 20.3.0.0 255.255.255.0
then do nat0
nat (inside) 0 access-list nonat_allow_acl
The only difference is it won't particular traffic as mentioned in the ACL.
But if you give the static statement as below as it will do nonat for all traffic from inside to outside
Static (inside,outside) 10.3.0.0 10.3.0.0 netmask 255.255.255.255
Hope this helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide