08-17-2011 05:50 PM - edited 03-11-2019 02:13 PM
Hi All
I want to setup my FWSM so that the outside networks can communicate with the inside networks on their real ip address and visa versa. This is not an Internet facing Firewall and only being used to filter traffic between some secure networks, all of the users, domain controllers etc will sit on the outside, the mission critical devices will sit on the inside networks
Should i disable NAT control
or create nat rules similar to bellow using identity nat
nat (inside) 0 10.1.1.0 255.255.255.0
and
nat (outside) 0 10.1.20 255.255.255.0
Thanks for any assistance
Cheers
Richard
08-17-2011 07:20 PM
Hi,
You can do both, eith disable nat-control and just allow the traffic from outside to inside through ACL's, or use nat exempt, something like this:
Lets say your source network on outside is 10.0.0.0/8 and inside is 20.1.0.0/16, then
access-list nonat permit ip 10.0.0.0 255.0.0.0 20.1.0.0 255.255.0.0
nat (outside) 0 access-list nonat
This would translate the ip into themselves, and is the correct way to do it.
Hope this helps.
Thanks,
Varun
Please rate helpful posts
08-17-2011 07:29 PM
Thanks for the reply,
What is the main difference between using identity nat and disabling nat control
Is there a benefit to keeping nat control on and using the nat (outside) 0 method
08-17-2011 07:34 PM
Well there is no difference, enabling nat-control and using identity nat is only helpful if you want to nat all traffic but some specific traffic or subnet need not be natted, so you use nat exempt.
Moreover nat exempt is helppful because, you can specify the destination as well, along with the source, so as in my example, if the same subnet is going to 30.0.0.0, it would need natting, so it makes things a bit flexible.
Hope this helps
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide