cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1011
Views
10
Helpful
5
Replies

Global NAT question

wilson_1234_2
Level 3
Level 3

With the below config, since there is no "nat" for DMZ3, what will that interface see as the source address for traffic getting to servers from the outside interface?

global (outside) 1 interface

global (DMZ2) 1 interface

global (DMZ3) 1 interface

global (DMZ4) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ2) 1 192.168.2.0 255.255.255.0 0 0

nat (DMZ4) 0 access-list nonat2

ip address outside 6.2.1.130 255.255.255.224

ip address inside 10.1.1.1 255.255.255.0

ip address DMZ1 192.168.1.1 255.255.255.0

ip address DMZ2 192.168.2.1 255.255.255.0

ip address DMZ3 192.168.3.1 255.255.255.0

ip address DMZ4 192.168.4.1 255.255.255.0

5 Replies 5

acomiskey
Level 10
Level 10

Wilson, I don't see a nat 0 for DMZ3? Nevermind, I misunderstood your question. There needs to be some translation for the traffic to go from DMZ3 to outside.

vitripat
Level 7
Level 7

Hi Wilson,

Assuming that you have statics in place for servers on DMZ3 as --

static (DMZ3,outside) X Y

and outside host a.a.a.a is trying to access X, when packet reaches Y (given that ACL on outside interface is permitting access), Y will see the packet coming from a.a.a.a.

This is because there is no "outside" nat configured which would nat packets coming from outside interface.

Hope this helps.

Regards,

Vibhor.

Thanks for the input,

So, is the "1" in:

global (DMZ3) 1 interface

doing anything since there is no "nat" statement?

More than that, the whole statement isn't doing anything because of no nat, not just the 1.

I'd think the global (DMZ3) 1 would be matched when packets entering any interface with a nat (interface) 1 command had to egress the DMZ3 interface to reach their destination.

Review Cisco Networking for a $25 gift card