Re: Excluding Subnet From Static NAT?

ss8568 · ‎12-19-2005

Anyone know of a way to exclude a range of IP addresses from Static NAT?

The inside interface has the majority of 10.0.0.0 /8 networks. The DMZ interface, unfortunately, has a /24 out of the 10.0.0.0/8 network, say 10.0.28.0 /24. How do I exclude this network from the static statement:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

The way I have it right now is that I had to break everything down and list the subnets individually like:

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.240.0

static (inside,outside) 10.0.16.0 10.0.16.0 netmask 255.255.248.0

static (inside,outside) 10.0.24.0 10.0.24.0 netmask 255.255.254.0

static (inside,outside) 10.0.26.0 10.0.26.0 netmask 255.255.255.0

static (inside,outside) 10.0.29.0 10.0.29.0 netmask 255.255.255.0

static (inside,outside) 10.0.30.0 10.0.30.0 netmask 255.255.254.0

static (inside,outside) 10.0.32.0 10.0.32.0 netmask 255.255.224.0

static (inside,outside) 10.0.64.0 10.0.64.0 netmask 255.255.192.0

static (inside,outside) 10.0.128.0 10.0.128.0 netmask 255.255.128.0

static (inside,outside) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

static (inside,outside) 10.2.0.0 10.2.0.0 netmask 255.254.0.0

Etc, etc, all the way to 10.255.0.0

Thanks,

Steve

itchampnz · ‎12-20-2005

Use a

nat (inside) 0

the acl will have a deny in for that network before the accepts.

Or.. upgrade to version 7 where you can use the nat-control feature.

jackko · ‎12-21-2005

you mentioned "The DMZ interface, unfortunately, has a /24 out of the 10.0.0.0/8 network".

the static command works with the two interfaces as stated.

e.g. the one you posted.

static (inside,outside) 10.2.0.0 10.2.0.0 netmask 255.254.0.0

this works between the inside and outside, and nothing to do with the dmz.