Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT to outside, no NAT to inside (from DMZ)

Status
Not open for further replies.
peter2002

peter2002

Technical User
Feb 7, 2002
12
0
0
CH
Hi

I'm having a WAN-router in my DMZ which connects my subsidaries to the headquarter. What I want is that everyone who is coming over this corporate router has access to the internet (via the PIX outside interface), so the the packets are NATed. On the other hand, if someone from the DMZ (WAN) wants access to the inside network, the packets shoud just be routed (no NAT). How can I configure this? can I configure NAT and no NAT on the same interface (DMZ), depending on the interface the packet is going out?

Thank you very much for your help.
Peter
 
Sort by date Sort by votes
Hi Peter,

This can be set up, you need to use the NAT(0) command with an access list. The list specifies the source and destination IP addresses or subnets, the NAT (0) statement turns off NAT for the addresses specified in the list.

You also need to set up appropriate route statements, but you probably knew that anyway.

 
Upvote 0 Downvote
Hey there,

Actually when a higher security level (dmz) goes to a lower security level (outside) you need a tranlation. On your case for the remote end to access the Internet all you need is a nat/global rule. ie:

nat (dmz) 1 <subnet> <mask>
global (outside) 1 interface

When a lower security level (dmz) needs to access a higher security level (inside) you need a static translation for the internal server and an access list. Say for example you have an ftp server on the inside with IP address 10.1.1.1

You need a static translation for this server to the dmz:

static (inside, dmz) 10.1.1.1 10.1.1.1 netmask 255.255.255.255

and you will also need an access list applied to the dmz permitting the ftp traffic to the 10.1.1.1 server.
 
Upvote 0 Downvote
HI.

As mentioned in previous replies, you can either use static:

static (inside,dmz) ...

Or use nat 0 access-list, but this should be applied to the inside interface, not to the dmz:

nat (inside) 0 access-list ...

If DMZ hosts need access to only few specific hosts on the inside, better use static for those hosts. If you want DMZ hosts to be able to reach all internal hosts, better use nat 0.
In any case, you will need to carefuly configure the access-list on the DMZ interface.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
225
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
240
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
252
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
69
steve777777
steve777777
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
85
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top