09-21-2004 09:47 AM - edited 02-20-2020 11:38 PM
I'm still digging into this, but have a need to not NAT any traffic starting on the inside to 2 of my lower-security interfaces (dmz1 & dmz2), but have that same traffic PATed to the interface address if it goes out outside interface.
I'm using nat (inside) 0 0.0.0.0 0.0.0.0 for the non-nating of traffic that goes from inside to dmz1 & dmz2. So, this keeps me from putting in another nat statement [like nat (inside) 1 0.0.0.0 0.0.0.0)] as that causes an error message saying the nat statements overlap. Makes a certain amount of sense.
It looks like a "static (inside,outside) interface 10.1.1.0 netmask 255.255.255.0" would be the perfect solution. But I get a "Invalid netmask with interface option" error message when I try to input that. So, that must not be able to do groups of addresses. It also only lets me do a single static to the interface address, so that is not going to fly even if I was willing to type in every host individually.
I was hoping that static command would let me overload all the inside addresses to the outside interface address when data is going out the "outside" interface, while the "nat (inside) 0" lets me non NAT anything going to dmz1 & dmz2, but no dice.
Any thoughts on what I'm missing here? There has got a be a way to do this.
Thanks!
Solved! Go to Solution.
09-21-2004 10:31 AM
Have you tried this?
Let's say you have:
192.168.0.0/24 on inside
192.168.1.0/24 on DMZ1
192.168.2.0/24 on DMZ2
access-list NoNATinside permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNATinside permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list NoNATinside
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 interface
09-21-2004 10:31 AM
Have you tried this?
Let's say you have:
192.168.0.0/24 on inside
192.168.1.0/24 on DMZ1
192.168.2.0/24 on DMZ2
access-list NoNATinside permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNATinside permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list NoNATinside
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 interface
09-21-2004 11:59 AM
Way cool! Did not notice an ACL as being an option for NAT commands.
Waaaaay cool!
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide