|
|
basic nonat question pix
just wondering:
here's my interfaces:
dmz: 10.10.0.1/16
inside:192.168.1.1/24
sh nat
nat (dmz) 0 access-list no-nat
nat (inside) 0 access-list no-nat
one subnet on the dmz interface has access to inside lan, and vice versa
do I need a nonat statement in both directions?
e.g:
access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
cheers,
m
|
|
0
|
|
|
|
Reply
|
 mak
|
9/6/2006 8:37:05 AM |
|
In article <edm1bh$cqm$1@etel.at>, mak <mak@nospam.com> wrote:
>here's my interfaces:
>dmz: 10.10.0.1/16
>inside:192.168.1.1/24
>sh nat
>nat (dmz) 0 access-list no-nat
>nat (inside) 0 access-list no-nat
>one subnet on the dmz interface has access to inside lan, and vice versa
>do I need a nonat statement in both directions?
>e.g:
>access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
No, all you need is
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
nat (inside) 0 access-list no-nat
In particular you do not need nat (dmz) 0 access-list no-nat .
Please recheck your no-nat ACL. You have specified your dmz as being
10.10.0.0/16 but your ACL is for 10.10.15.0/24 .
|
|
|
0
|
|
|
|
Reply
|
roberson
|
9/6/2006 12:57:18 PM
|
|
Walter Roberson wrote:
> In article <edm1bh$cqm$1@etel.at>, mak <mak@nospam.com> wrote:
>> here's my interfaces:
>
>> dmz: 10.10.0.1/16
>> inside:192.168.1.1/24
>
>> sh nat
>> nat (dmz) 0 access-list no-nat
>> nat (inside) 0 access-list no-nat
>
>> one subnet on the dmz interface has access to inside lan, and vice versa
>
>> do I need a nonat statement in both directions?
>> e.g:
>> access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
>
> No, all you need is
>
> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
> nat (inside) 0 access-list no-nat
ok, but why don't I need it?
has it to do with interface security levels?
> In particular you do not need nat (dmz) 0 access-list no-nat .
>
> Please recheck your no-nat ACL. You have specified your dmz as being
> 10.10.0.0/16 but your ACL is for 10.10.15.0/24 .
actually, this is on purpose, only 10.10.15.0/24 is not supposed to be nat'ed while coming to dmz,
the rest is not allowed into dmz anyway.
|
|
|
0
|
|
|
|
Reply
|
mak
|
9/6/2006 1:27:33 PM
|
|
In article <edmic6$int$1@etel.at>, mak <mak@nospam.com> wrote:
>Walter Roberson wrote:
>> In article <edm1bh$cqm$1@etel.at>, mak <mak@nospam.com> wrote:
>>> do I need a nonat statement in both directions?
>>> access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
>> No, all you need is
>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
>> nat (inside) 0 access-list no-nat
>ok, but why don't I need it?
>has it to do with interface security levels?
The reversal is automatic: when you apply the no-nat ACL against the
inside interface, it adds a table entry with that source (192.168.1.0/24)
to the inside interface, and it adds table entries with that
destination (10.10.15.0/24) to each of the lower security interfaces
(or is it to all the other interfaces? I'd have to think about that.)
|
|
|
0
|
|
|
|
Reply
|
roberson
|
9/6/2006 1:35:54 PM
|
|
Walter Roberson wrote:
> In article <edmic6$int$1@etel.at>, mak <mak@nospam.com> wrote:
>> Walter Roberson wrote:
>>> In article <edm1bh$cqm$1@etel.at>, mak <mak@nospam.com> wrote:
>
>>>> do I need a nonat statement in both directions?
>>>> access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>>>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
>
>>> No, all you need is
>
>>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
>>> nat (inside) 0 access-list no-nat
>
>> ok, but why don't I need it?
>> has it to do with interface security levels?
>
> The reversal is automatic: when you apply the no-nat ACL against the
> inside interface, it adds a table entry with that source (192.168.1.0/24)
> to the inside interface, and it adds table entries with that
> destination (10.10.15.0/24) to each of the lower security interfaces
> (or is it to all the other interfaces? I'd have to think about that.)
that's what I suspected.
weird, since traffic is coming the other way and access-lists always apply to incoming traffic
i guess no-nat is different.
....anyway
thanks again for your excellent explanation,
m
|
|
|
0
|
|
|
|
Reply
|
mak
|
9/6/2006 1:51:06 PM
|
|
In article <edmjob$jbc$1@etel.at>, mak <mak@nospam.com> wrote:
>Walter Roberson wrote:
>> The reversal is automatic: when you apply the no-nat ACL against the
>> inside interface, it adds a table entry with that source (192.168.1.0/24)
>> to the inside interface, and it adds table entries with that
>> destination (10.10.15.0/24) to each of the lower security interfaces
>> (or is it to all the other interfaces? I'd have to think about that.)
>that's what I suspected.
>weird, since traffic is coming the other way and access-lists always
>apply to incoming traffic
>i guess no-nat is different.
Recall that access-lists used in crypto map match address are also
automatically reversed for incoming traffic. So too access-lists used
for split tunneling.
|
|
|
0
|
|
|
|
Reply
|
roberson
|
9/6/2006 3:32:01 PM
|
|
|
5 Replies
104 Views
(page loaded in 0.043 seconds)
Similiar Articles:7/24/2012 8:59:45 AM
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
24945 articles. 
24 followers. 
ilcalmo
mhoppes
gregfaulk
6mcorp
exg
kevint
dvanluvanee