Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
0
Helpful
0
Replies

Twice NAT Overlap

Jared Burton
Level 1
Level 1

‎04-03-2017 11:43 AM - edited ‎03-12-2019 02:10 AM

Hi All,

I have a quick question regarding some twice nat configurations.

I need to know if the following twice nat statement is necessary. (Firewall Spring Cleaning)

Example:

I have a destination in my DMZ that is being natted by yet another Firewall. In this example, the second firewall is obj-dmzhost1, the destination behind the second firewall is 192.168.0.1.

My primary Firewall has a route to the 192.168.0.0 network towards the DMZ.

So I have the following rules:

nat (inside,dmz) source dynamic object-group1 obj-patIP1

nat (inside,dmz) source dynamic object-group1 obj-patIP1 destination static obj-dmzhost1 obj-192.168.0.1

If the first statement is for PATing all sources in object-group1 against obj-patIP1 that is on it's way to anything in the DMZ, is the second statement really necessary? In testing, I don't see a justification for having it as I can reach 192.168.0.1 without the second statement using the first statement.

Just trying to understand when/where and why to use the entirety of the command, as opposed to just the first version.

Thank you in advance everyone!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card