Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
234
Views
0
Helpful
1
Replies

Need help on PAT and NAT Issue

s-beavers
Level 1
Level 1

‎04-27-2005 06:22 AM - edited ‎03-09-2019 11:04 AM

I am still trying to have this PAT translation and NAT issue resolved.

Here is what I have done:

|------------> DMZ1 (security90)

| (172.16.28.0 255.255.255.0)

|

|

|

INSIDE (security100)----

(172.16.0.0 255.255.248.0)|

|

|

|

|------------> DMZ2 (security85)

(172.16.32.0 255.255.248.0)

access-list dmz-2-inside permit ip 172.16.28.0 255.255.255.0 172.16.0.0 255.255.248.0

static (inside,dmz) 172.16.28.0 access-list dmz-2-inside

access-list outside-2-inside permit ip 172.16.32.0 255.255.248.0 172.16.0.0 255.255.248.0

static (inside,dmz2) 172.16.32.0 access-list outside-2-inside

nat (inside) 1 access-list nonat-inside-dmz 0 0

nat (inside) 2 access-list nonat-inside-outside 0 0

nat (dmz) 0 172.16.28.0 255.255.255.0 outside 0 0

nat (dmz2) 0 172.16.32.0 255.255.248.0 outside 0 0

global (dmz) 1 interface

global (dmz2) 2 interface

access-list nonat-inside-dmz line 1 permit ip 172.16.0.0 255.255.248.0 172.16.28.0 255.255.255.0

access-list nonat-inside-outside line 1 permit ip 172.16.0.0 255.255.248.0 172.16.32.0 255.255.248.0

I need to accomplish the following:

-traffic sourced from the 172.16.0.0/21 destined to the 172.16.28.0/24 needs to be PAT to the IP

address of the DMZ1 interface.

-traffic sourced from the 172.16.0.0/21 destined to the 172.16.32.0/21 needs to be PAT to the IP address of the DMZ2 interface.

-traffic sourced from the 172.16.28.0/24 destined to the 172.16.0.0/21 needs to be translated as itself (identity translated).

-traffic sourced from the 172.16.32.0/21 destined to the 172.16.0.0/21 needs to be translated as itself (identity translated)

-traffic sourced from the 172.16.32.0/21 destined to the 172.16.0.0/21 needs to be translated as

itself (identify translated).

I am confused on how the static and nat statement work. If static works both ways, then a policy

static should achieve the one way different required? Thanx.

Labels:
0 Helpful
1 Reply 1

didyap
Level 6
Level 6

‎05-03-2005 01:26 PM

Do not use NAT 0 with static, because NAT 0 will overrule static and static will not work properly. If you try to implement both NAT 0 and Static then you will certainly face issues between internal hosts communicating to dmz. Instead of using NAT 0 along with static, What I would recommend you is to use Static Nat (self-translation for each host) for which you don't want the address to get translated when it reaches the DMZ.

0 Helpful
Customers Also Viewed These Support Documents