01-19-2006 10:20 PM - edited 03-09-2019 01:41 PM
I currently have
nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0
global (outside) 1 192.168.10.1 netmask 255.255.255.224
I like to add
nat (DMZ) 1 192.168.1.3 255.255.255.255 0 0
Do I need to remove
nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0
and use access-list to deny specific networks behind DMZ but allow 192.168.1.3?
01-20-2006 02:57 AM
Hello,
Please see inline -
> Do I need to remove
> nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0
No, you don't have to because NAT with an ID (in your case) will take precedence over NAT with ID being ZERO. So, if you have the above stamt along with the new one, the one you will be adding will be translated to the global IP and rest will go untranslated.
Regarding whether you need to use ACL, that depends on your security policy. If you want to allow only a specific host then you can create the ACL and apply on the DMZ interface, but this is not required.
Thanks,
Mynul
01-20-2006 06:51 AM
Thanks for your help. I wasn't sure the tag 0 has precedence over tag 1. If so, any won't be translated, so
nat (DMZ) 1 192.168.5.1 255.255.255.255 0 0
will have no effect. I can't find any docs that say 0 will be executed before 1.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide