12-19-2005 08:58 PM - edited 03-09-2019 01:24 PM
Anyone know of a way to exclude a range of IP addresses from Static NAT?
The inside interface has the majority of 10.0.0.0 /8 networks. The DMZ interface, unfortunately, has a /24 out of the 10.0.0.0/8 network, say 10.0.28.0 /24. How do I exclude this network from the static statement:
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
The way I have it right now is that I had to break everything down and list the subnets individually like:
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.240.0
static (inside,outside) 10.0.16.0 10.0.16.0 netmask 255.255.248.0
static (inside,outside) 10.0.24.0 10.0.24.0 netmask 255.255.254.0
static (inside,outside) 10.0.26.0 10.0.26.0 netmask 255.255.255.0
static (inside,outside) 10.0.29.0 10.0.29.0 netmask 255.255.255.0
static (inside,outside) 10.0.30.0 10.0.30.0 netmask 255.255.254.0
static (inside,outside) 10.0.32.0 10.0.32.0 netmask 255.255.224.0
static (inside,outside) 10.0.64.0 10.0.64.0 netmask 255.255.192.0
static (inside,outside) 10.0.128.0 10.0.128.0 netmask 255.255.128.0
static (inside,outside) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) 10.2.0.0 10.2.0.0 netmask 255.254.0.0
Etc, etc, all the way to 10.255.0.0
Thanks,
Steve
12-20-2005 09:01 PM
Use a
nat (inside) 0
the acl will have a deny in for that network before the accepts.
Or.. upgrade to version 7 where you can use the nat-control feature.
12-21-2005 03:34 PM
you mentioned "The DMZ interface, unfortunately, has a /24 out of the 10.0.0.0/8 network".
the static command works with the two interfaces as stated.
e.g. the one you posted.
static (inside,outside) 10.2.0.0 10.2.0.0 netmask 255.254.0.0
this works between the inside and outside, and nothing to do with the dmz.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide