02-21-2012 06:54 PM - edited 03-11-2019 03:33 PM
We are trying to upgrade from 8.2 to 8.3 (or beyond) and want to know if with the changes to NAT do we need to convert all of our NAT rules for access from the DMZ to the internal network. We have some static NAT statements for both single IP's and subnets in addtion to Global NAT statements for NAT and no NAT o the DMZ interface. Can access between the networks be accomplished with ACL's only or do I still have to use NAT?
Solved! Go to Solution.
02-21-2012 08:34 PM
IF that's in place (though ACL is not required from higher security to lower - it's allowed by default) - AND there are no globals etc. affecting it AND your inside interface is at a higher security level than the DMZ - then no you don't need it. However, it doesn't hurt. As you note, it is really a "no nat" statement as written.
02-21-2012 07:21 PM
I'm not sure if I understand all of your assumptions, but NAT has never been required to allow traffic between interfaces (or security zones). It's generally used between inside and/or DMZ to outside so as to allow one to have an independently managed network using private IP addressing (RFC 1918).
That said, if you're using NAT now, you can continue to do so post-upgrade. The built-in upgrade tool will parse your 8.2 configuration and convert the existing NAT statements as required. There are a few gotchas documented in other threads and a few documents here and elsewhere but generally it works well.
The Cisco TAC is well-versed in supporting such migrations and is happy to help out.
If you're upgrading from 8.2(x), I'd recommend you go straight to the current release - 8.4(3).
02-21-2012 07:44 PM
Thank you for replying and my apologies for the vauge question. In most of the firewal confirurations I have seen or examples Cisco has provided, there has always been a NAT statement like the one listed below.
static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0
If routing and proper ACL are in place, is there a purpose or need for this type of NAT statement basically stating don't NAT? My apolgies if this seems like a simple question but if the routing and ACL exist why NAT the IP's to the same source and destination.
Thanks,
Eric
02-21-2012 08:34 PM
IF that's in place (though ACL is not required from higher security to lower - it's allowed by default) - AND there are no globals etc. affecting it AND your inside interface is at a higher security level than the DMZ - then no you don't need it. However, it doesn't hurt. As you note, it is really a "no nat" statement as written.
02-24-2012 09:38 AM
Thank you for the confirmation and the insight!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide