Solved: Small confusion on static nat

sidcracker · ‎07-13-2011

Hello

Inside Network - 192.168.100.0

DMZ Network - 192.168.200.0

static (inside,dmz) 192.168.100.1 access-list inside-dmz-static-nat

access-list inside_dmz_static_nat extended permit ip host 192.168.100.1 any

This actually works. But my question is

isnt the actual way of doing the same above to be

static (dmz,inside) inside_ip access-list inside_to_dmz_static_nat

access-list inside_dmz_static_nat extended permit ip 192.168.100.1 any

Thanks

varrao · ‎07-13-2011

Hi Sid,

The nats:

static (inside,dmz) 192.168.100.1 access-list inside-dmz-static-nat

access-list inside_dmz_static_nat extended permit ip host 192.168.100.1 any

and

static (inside,dmz) 192.168.100.1 192.168.100.1

are equivalent.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎07-13-2011

Hi Sid,

The nats:

static (inside,dmz) 192.168.100.1 access-list inside-dmz-static-nat

access-list inside_dmz_static_nat extended permit ip host 192.168.100.1 any

and

static (inside,dmz) 192.168.100.1 192.168.100.1

are equivalent.

Thanks,

Varun

Thanks,
Varun Rao

sidcracker · ‎07-13-2011

Hello Varun,

So basically we are doing a nat exempt here. Can you confirm this?

Thanks

varrao · ‎07-13-2011

Yes, this is called Identity nat.. In NAT exemt, if you are going from a particualr source to a particular destination, you don't want the traffic to be natted, it should be exempted, in this if someone wants to access the server 192.168.100.1, they woudl do it on its own real ip address. Logically they are same. both the nats are a part of Identity Nat. One is called nat-exempt and the other is called self-static identity nat.

The difference comes in, the ASA would create an xlate for self-static nat, but there would not be any xlate for nat-exempt.

Hope I was able to clear out your doubts.

Thanks,

Varun

Thanks,
Varun Rao

sidcracker · ‎07-13-2011

Thanks Varun

varrao · ‎07-13-2011

Your Welcome

Thanks,
Varun Rao