07-26-2011 10:06 PM - edited 03-11-2019 02:04 PM
So lets say we have the following configuration:
=============================================
Interface Gigabitethernet0/1
nameif inside
security-level 100
speed 1000
duplex full
ip address 192.168.1.1 255.255.255.0
Interface Gigabitethernet0/2
nameif dmz
security-level 50
speed 1000
duplex full
ip address 172.16.1.1 255.255.255.0
nat-control
access-group 100 in interface inside
access-group 99 in interface dmz
access-list 100 permit ip any any
access-list 99 permit ip any any
=============================================
So lets say we want to allow communication from the inside segment to the DMZ segment using private addresses.
There are a couple of ways we can achieve this
1.) NAT Exemption via NAT 0
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list nonat
2.) Identity NAT via static statements
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Both scenarios allow communication from the inside segment to the dmz segment while preserving the 192.168.1.X/24 source addresses using 172.16.1.X/24 addresses as the destination.
With scenario 1, I must first initiate traffic from the inside segment (192.168.1.X address) to the DMZ segment (172.16.1.X) before hosts on the dmz segment can initiate traffic to the inside segment.
With scenario 2, I can initiate traffic from either segment regardless of who first initiated a connection.
Now, I know that the identity NAT via the static statement adds an entry in the xlate table which is why either segment can initiate traffic at any time.
My question is, what mechanism controls the communication process when using NAT exemption? That is, what prevents me from initiating traffic FROM the dmz to the inside segment until I've first initiated traffic from the inside to the dmz?
07-26-2011 10:24 PM
Just a thought, but I imagine the connection is bidirectional once you initiate from inside -> dmz, though only for the hosts involved in that communication. Once the connection times out then I can't see it working from dmz -> inside anymore.
To make it consistently work in both directions we apply nat exemption to both the inside and dmz interfaces, yes? nat (inside) 0 and nat (dmz) 0, with the access-list source/destination swapped.
Just theories!
James Denton
Sent from my iPhone
07-26-2011 10:25 PM
Hello Patrick, Hope you are doing fine
Actually this two types of nat are Bidirectional, so you can start traffic from both zones if there is an ACL permiting the traffic just like the case you explained before and one of this nat statements
As you told the difference between those two is that one (Static) generates an entry on the xlate and the other one not because it never gets translated.
Regards
07-27-2011 12:07 AM
Thanks to both of you for the quick responses.
I will perform some additional testing tomorrow tomorrow and report back.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide