09-02-2009 12:45 PM - edited 03-11-2019 09:11 AM
Do I need two statements to disable nat between the inside and dmz networks, one for each interface?
09-02-2009 12:57 PM
Jeff
No, nat exemption is bidirectional so you can either do
inside net = 192.168.5.0/24
dmz net = 172.16.5.0/24
1) static NAT translation
static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
this will allow internal hosts to access DMZ hosts and DMZ hosts to access internal hosts
OR
2) access-list NONAT permit ip 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0
nat (inside) 0 access-list NONAT
Technically speaking only 2 is actually not doing NAT but 1) would achieve the same result for you.
Jon
09-02-2009 01:15 PM
So, as long as there is the 'destination' (per the nonat acl) network somewhere on another interface, it doesn't matter which interface it's on for the nat exemption to work. Correct? Because once the traffic passes through the nat 'engine', then it just gets routed to the appropriate interface.
But you still have to apply the nat exemption to an interface, does that mean that it doesn't matter which interface you apply it to?
Maybe I'm overthinking this and missing something.
09-02-2009 01:32 PM
Jeff
"But you still have to apply the nat exemption to an interface, does that mean that it doesn't matter which interface you apply it to? "
I'm assuming when you say this you mean either the inside or dmz interface because obviously if you applied it to a totally different interface it would not have the effect you wanted.
As for applying it to either the inside or dmz interface, to be honest i have ever only applied it on the higher security interface, in this case the inside interface.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide