Need help changing my static command maybe using a different nat?

[ForumKid1]

I have a ton of these static commands. One for each inside host. I just cant figure out how to give all inside users 192.168.1.x access to the dmz 192.168.2.x

My statics
static (inside,dmz) 192.168.1.24 192.168.1.24 netmask 255.255.255.255
static (inside,dmz) 192.168.1.14 192.168.1.14 netmask 255.255.255.255
static (inside,dmz) 192.168.1.3 192.168.1.3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.4 192.168.1.4 netmask 255.255.255.255
static (inside,dmz) 192.168.1.5 192.168.1.5 netmask 255.255.255.255
static (inside,dmz) 192.168.1.6 192.168.1.6 netmask 255.255.255.255
static (inside,dmz) 192.168.1.7 192.168.1.7 netmask 255.255.255.255
static (inside,dmz) 192.168.1.8 192.168.1.8 netmask 255.255.255.255
static (inside,dmz) 192.168.1.9 192.168.1.9 netmask 255.255.255.255
static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
static (inside,dmz) 192.168.1.11 192.168.1.11 netmask 255.255.255.255
static (inside,dmz) 192.168.1.12 192.168.1.12 netmask 255.255.255.255
static (inside,dmz) 192.168.1.13 192.168.1.13 netmask 255.255.255.255
static (inside,dmz) 192.168.1.15 192.168.1.15 netmask 255.255.255.255
static (inside,dmz) 192.168.1.16 192.168.1.16 netmask 255.255.255.255
static (inside,dmz) 192.168.1.17 192.168.1.17 netmask 255.255.255.255
static (inside,dmz) 192.168.1.18 192.168.1.18 netmask 255.255.255.255
static (inside,dmz) 192.168.1.19 192.168.1.19 netmask 255.255.255.255

My current global and nat statements
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 192.168.2.0 255.255.255.0

I tried various global and nat statements, but without all those statics, I was unable to give all inside users the appropriate access to the dmz server.

Any suggestions are much appreciated.

 

[unclerico]

you can do it two ways; static identity NAT and NAT exemption. You have identity NAT configured, but I would shorten it to be like this:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

NAT exemption would be like this:

access-list inside_NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list dmz_NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_NONAT
nat (dmz) 0 access-list dmz_NONAT

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[kbing]

Check out the email server configuration example from Cisco. It doesn't NAT inside to DMZ traffic - it uses the actual IP.

http://www.cisco.com/en/US/products...s_configuration_example09186a00800941c8.shtml

Otherwise the default way of doing this WILL nat traffic from inside->dmz and dmz->inside is blocked unless static NAT's are configured.

Depends on which way you want it. I prefer the latter. Again...

http://www.cisco.com

support site has FREE example configurations for just about everything.
)