10-17-2011 07:22 AM - edited 03-11-2019 02:38 PM
Hi:
I have a question about using static NAT.
I want to allow hosts on the inside interface to be able to access hosts in the dmz using their real dmz IP addresses.
inside: 10.0.0.1/21
security level 100
dmz: 172.31.0.1/21
security level 25
The following command worked:
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.248.-
However, why didn't this command work?
static (dmz,inside) 172.31.0.0 172.31.0.0 netmask 255.255.248.0
Just curious.
Thanks,
Tony
10-17-2011 08:19 AM
Hi Tony,
Going from Higher security interface to lower security interface, you essentially need a source nat, therefore first one is needed, if you do not have nat-control enabled, then you woudl just need the first statements and not second.
Thanks,
Varun
10-17-2011 08:39 AM
Thank you, Varun.
I thought it probably had something to do with the security level.
Thanks,
Tony
10-17-2011 09:50 AM
No issues, let me know if you have any other concerns.
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide