«

just wondering:

here's my interfaces:

dmz: 10.10.0.1/16
inside:192.168.1.1/24

sh nat
nat (dmz) 0 access-list no-nat
nat (inside) 0 access-list no-nat

one subnet on the dmz interface has access to inside lan, and vice versa

do I need a nonat statement in both directions?
e.g:
access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0


cheers,
m

In article <edm1bh$cqm$>, mak <> wrote:
>here's my interfaces:

>dmz: 10.10.0.1/16
>inside:192.168.1.1/24

>sh nat
>nat (dmz) 0 access-list no-nat
>nat (inside) 0 access-list no-nat

>one subnet on the dmz interface has access to inside lan, and vice versa

>do I need a nonat statement in both directions?
>e.g:
>access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0

No, all you need is

access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
nat (inside) 0 access-list no-nat

In particular you do not need nat (dmz) 0 access-list no-nat .

Please recheck your no-nat ACL. You have specified your dmz as being
10.10.0.0/16 but your ACL is for 10.10.15.0/24 .

Walter Roberson wrote:
> In article <edm1bh$cqm$>, mak <> wrote:
>> here's my interfaces:
>
>> dmz: 10.10.0.1/16
>> inside:192.168.1.1/24
>
>> sh nat
>> nat (dmz) 0 access-list no-nat
>> nat (inside) 0 access-list no-nat
>
>> one subnet on the dmz interface has access to inside lan, and vice versa
>
>> do I need a nonat statement in both directions?
>> e.g:
>> access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
>
> No, all you need is
>
> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
> nat (inside) 0 access-list no-nat
ok, but why don't I need it?
has it to do with interface security levels?

> In particular you do not need nat (dmz) 0 access-list no-nat .
>
> Please recheck your no-nat ACL. You have specified your dmz as being
> 10.10.0.0/16 but your ACL is for 10.10.15.0/24 .

actually, this is on purpose, only 10.10.15.0/24 is not supposed to be nat'ed while coming to dmz,
the rest is not allowed into dmz anyway.

In article <edmic6$int$>, mak <> wrote:
>Walter Roberson wrote:
>> In article <edm1bh$cqm$>, mak <> wrote:

>>> do I need a nonat statement in both directions?
>>> access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0

>> No, all you need is

>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
>> nat (inside) 0 access-list no-nat

>ok, but why don't I need it?
>has it to do with interface security levels?

The reversal is automatic: when you apply the no-nat ACL against the
inside interface, it adds a table entry with that source (192.168.1.0/24)
to the inside interface, and it adds table entries with that
destination (10.10.15.0/24) to each of the lower security interfaces
(or is it to all the other interfaces? I'd have to think about that.)

Walter Roberson wrote:
> In article <edmic6$int$>, mak <> wrote:
>> Walter Roberson wrote:
>>> In article <edm1bh$cqm$>, mak <> wrote:
>
>>>> do I need a nonat statement in both directions?
>>>> access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>>>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
>
>>> No, all you need is
>
>>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
>>> nat (inside) 0 access-list no-nat
>
>> ok, but why don't I need it?
>> has it to do with interface security levels?
>
> The reversal is automatic: when you apply the no-nat ACL against the
> inside interface, it adds a table entry with that source (192.168.1.0/24)
> to the inside interface, and it adds table entries with that
> destination (10.10.15.0/24) to each of the lower security interfaces
> (or is it to all the other interfaces? I'd have to think about that.)

that's what I suspected.
weird, since traffic is coming the other way and access-lists always apply to incoming traffic
i guess no-nat is different.

....anyway

thanks again for your excellent explanation,

m

In article <edmjob$jbc$>, mak <> wrote:
>Walter Roberson wrote:

>> The reversal is automatic: when you apply the no-nat ACL against the
>> inside interface, it adds a table entry with that source (192.168.1.0/24)
>> to the inside interface, and it adds table entries with that
>> destination (10.10.15.0/24) to each of the lower security interfaces
>> (or is it to all the other interfaces? I'd have to think about that.)

>that's what I suspected.
>weird, since traffic is coming the other way and access-lists always
>apply to incoming traffic
>i guess no-nat is different.

Recall that access-lists used in crypto map match address are also
automatically reversed for incoming traffic. So too access-lists used
for split tunneling.