Re: Mixed NAT and PAT

normanzhang · ‎01-19-2006

I currently have

nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0

global (outside) 1 192.168.10.1 netmask 255.255.255.224

I like to add

nat (DMZ) 1 192.168.1.3 255.255.255.255 0 0

Do I need to remove

nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0

and use access-list to deny specific networks behind DMZ but allow 192.168.1.3?

mhoda · ‎01-20-2006

Hello,

Please see inline -

> Do I need to remove

> nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0

No, you don't have to because NAT with an ID (in your case) will take precedence over NAT with ID being ZERO. So, if you have the above stamt along with the new one, the one you will be adding will be translated to the global IP and rest will go untranslated.

Regarding whether you need to use ACL, that depends on your security policy. If you want to allow only a specific host then you can create the ACL and apply on the DMZ interface, but this is not required.

Thanks,

Mynul

normanzhang · ‎01-20-2006

Thanks for your help. I wasn't sure the tag 0 has precedence over tag 1. If so, any won't be translated, so

nat (DMZ) 1 192.168.5.1 255.255.255.255 0 0

will have no effect. I can't find any docs that say 0 will be executed before 1.