cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
871
Views
0
Helpful
4
Replies

NAT in the DMZ

emcmanamy
Level 1
Level 1

We are trying to upgrade from 8.2 to 8.3 (or beyond) and want to know if with the changes to NAT do we need to convert all of our NAT rules for access from the DMZ to the internal network. We have some static NAT statements for both single IP's and subnets in addtion to Global NAT statements for NAT and no NAT o the DMZ interface. Can access between the networks be accomplished with ACL's only or do I still have to use NAT?

1 Accepted Solution

Accepted Solutions

IF that's in place (though ACL is not required from higher security to lower - it's allowed by default) - AND there are no globals etc. affecting it AND your inside interface is at a higher security level than the DMZ - then no you don't need it. However, it doesn't hurt. As you note, it is really a "no nat" statement as written.

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

I'm not sure if I understand all of your assumptions, but NAT has never been required to allow traffic between interfaces (or security zones). It's generally used between inside and/or DMZ to outside so as to allow one to have an independently managed network using private IP addressing (RFC 1918).

That said, if you're using NAT now, you can continue to do so post-upgrade. The built-in upgrade tool will parse your 8.2 configuration and convert the existing NAT statements as required. There are a few gotchas documented in other threads and a few documents here and elsewhere but generally it works well.

The Cisco TAC is well-versed in supporting such migrations and is happy to help out.

If you're upgrading from 8.2(x), I'd recommend you go straight to the current release - 8.4(3).

Thank you for replying and my apologies for the vauge question. In most of the firewal confirurations I have seen or examples Cisco has provided, there has always been a NAT statement like the one listed below.

static (inside,DMZ) 172.16.34.0 172.16.34.0 netmask 255.255.255.0

If routing and proper ACL are in place, is there a purpose or need for this type of NAT statement basically stating don't NAT? My apolgies if this seems like a simple question but if the routing and ACL exist why NAT the IP's to the same source and destination.

Thanks,

Eric

IF that's in place (though ACL is not required from higher security to lower - it's allowed by default) - AND there are no globals etc. affecting it AND your inside interface is at a higher security level than the DMZ - then no you don't need it. However, it doesn't hurt. As you note, it is really a "no nat" statement as written.

Thank you for the confirmation and the insight!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: