Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

nat 0 for dmz to inside 1

Status
Not open for further replies.
stooo

stooo

Technical User
Nov 19, 2002
183
GB
I've got a pix with a 10.10.10.0/24 network on the dmz interface, and 192.168.1.0/24 on the inside.

Can someone explain to me how to use nat 0 to allow the dmz to talk to the inside? Its been doing my head in for hours!

Cheers
 
Sort by date Sort by votes
I would create an access-list that specifies traffic from the DMZ to the LAN and then apply nat 0 to that acl. You will also need to create security rules to allow the DMZ to talk to a higher security level interface.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
I agree about the ACL for the nat..

but as far as the DMZ, you wouldn't require any security rules unless the DMZ was initiating the connection, correct?

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
The op stated, "to allow the dmz to talk to the inside" so yes, to allow the DMZ to talk to the inside, security rules need to be created. The inside will be able to connect to the DMZ without any rules.

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
To accomplish what you ask stooo, you first need to disable the NAT between the networks:

access-list NoNat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list NoNat

Then you have to specify what type of communication you want to be initialized from the DMZ to your internal network:

access-list dmz permit [specify protocol] 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 (or you can specify using eq statements)


Hope this helps.

Cheers
/T
 
Upvote 0 Downvote
hi all

just take care to have a version higher than 6.xx. (I think 6.3.1 is ok) older one can not do "no nat" like that and you are obliged to work with static instruction.

frederic
 
Upvote 0 Downvote
Just one more point of interest. When you use "nat (inside) 0", you are not actually disabling NAT at all. The packet is NATed, just with the exact same address. The Pix will not pass any packets that do not have a translation slot as NAT is the basis for the operation of the Pix.

Chris

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Interresting ChrisAC. Your info is noted. Thank you :)

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
801
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
965
intel233
intel233
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
678
XLNTech1
XLNTech1
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
252
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top