Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help changing my static command maybe using a different nat?

Status
Not open for further replies.

ForumKid1

IS-IT--Management
Dec 2, 2008
10
US
I have a ton of these static commands. One for each inside host. I just cant figure out how to give all inside users 192.168.1.x access to the dmz 192.168.2.x

My statics
static (inside,dmz) 192.168.1.24 192.168.1.24 netmask 255.255.255.255
static (inside,dmz) 192.168.1.14 192.168.1.14 netmask 255.255.255.255
static (inside,dmz) 192.168.1.3 192.168.1.3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.4 192.168.1.4 netmask 255.255.255.255
static (inside,dmz) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
static (inside,dmz) 192.168.1.6 192.168.1.6 netmask 255.255.255.255
static (inside,dmz) 192.168.1.7 192.168.1.7 netmask 255.255.255.255
static (inside,dmz) 192.168.1.8 192.168.1.8 netmask 255.255.255.255
static (inside,dmz) 192.168.1.9 192.168.1.9 netmask 255.255.255.255
static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
static (inside,dmz) 192.168.1.11 192.168.1.11 netmask 255.255.255.255
static (inside,dmz) 192.168.1.12 192.168.1.12 netmask 255.255.255.255
static (inside,dmz) 192.168.1.13 192.168.1.13 netmask 255.255.255.255
static (inside,dmz) 192.168.1.15 192.168.1.15 netmask 255.255.255.255
static (inside,dmz) 192.168.1.16 192.168.1.16 netmask 255.255.255.255
static (inside,dmz) 192.168.1.17 192.168.1.17 netmask 255.255.255.255
static (inside,dmz) 192.168.1.18 192.168.1.18 netmask 255.255.255.255
static (inside,dmz) 192.168.1.19 192.168.1.19 netmask 255.255.255.255

My current global and nat statements
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 192.168.2.0 255.255.255.0

I tried various global and nat statements, but without all those statics, I was unable to give all inside users the appropriate access to the dmz server.

Any suggestions are much appreciated.
 
you can do it two ways; static identity NAT and NAT exemption. You have identity NAT configured, but I would shorten it to be like this:
Code:
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
NAT exemption would be like this:
Code:
access-list inside_NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list dmz_NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_NONAT
nat (dmz) 0 access-list dmz_NONAT

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Check out the email server configuration example from Cisco. It doesn't NAT inside to DMZ traffic - it uses the actual IP.


Otherwise the default way of doing this WILL nat traffic from inside->dmz and dmz->inside is blocked unless static NAT's are configured.

Depends on which way you want it. I prefer the latter. Again... support site has FREE example configurations for just about everything.
:))
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top