04-27-2005 06:22 AM - edited 03-09-2019 11:04 AM
I am still trying to have this PAT translation and NAT issue resolved.
Here is what I have done:
|------------> DMZ1 (security90)
| (172.16.28.0 255.255.255.0)
|
|
|
INSIDE (security100)----
(172.16.0.0 255.255.248.0)|
|
|
|
|------------> DMZ2 (security85)
(172.16.32.0 255.255.248.0)
access-list dmz-2-inside permit ip 172.16.28.0 255.255.255.0 172.16.0.0 255.255.248.0
static (inside,dmz) 172.16.28.0 access-list dmz-2-inside
access-list outside-2-inside permit ip 172.16.32.0 255.255.248.0 172.16.0.0 255.255.248.0
static (inside,dmz2) 172.16.32.0 access-list outside-2-inside
nat (inside) 1 access-list nonat-inside-dmz 0 0
nat (inside) 2 access-list nonat-inside-outside 0 0
nat (dmz) 0 172.16.28.0 255.255.255.0 outside 0 0
nat (dmz2) 0 172.16.32.0 255.255.248.0 outside 0 0
global (dmz) 1 interface
global (dmz2) 2 interface
access-list nonat-inside-dmz line 1 permit ip 172.16.0.0 255.255.248.0 172.16.28.0 255.255.255.0
access-list nonat-inside-outside line 1 permit ip 172.16.0.0 255.255.248.0 172.16.32.0 255.255.248.0
I need to accomplish the following:
-traffic sourced from the 172.16.0.0/21 destined to the 172.16.28.0/24 needs to be PAT to the IP
address of the DMZ1 interface.
-traffic sourced from the 172.16.0.0/21 destined to the 172.16.32.0/21 needs to be PAT to the IP address of the DMZ2 interface.
-traffic sourced from the 172.16.28.0/24 destined to the 172.16.0.0/21 needs to be translated as itself (identity translated).
-traffic sourced from the 172.16.32.0/21 destined to the 172.16.0.0/21 needs to be translated as itself (identity translated)
-traffic sourced from the 172.16.32.0/21 destined to the 172.16.0.0/21 needs to be translated as
itself (identify translated).
I am confused on how the static and nat statement work. If static works both ways, then a policy
static should achieve the one way different required? Thanx.
05-03-2005 01:26 PM
Do not use NAT 0 with static, because NAT 0 will overrule static and static will not work properly. If you try to implement both NAT 0 and Static then you will certainly face issues between internal hosts communicating to dmz. Instead of using NAT 0 along with static, What I would recommend you is to use Static Nat (self-translation for each host) for which you don't want the address to get translated when it reaches the DMZ.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide