Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > basic nonat question pix

Reply
Thread Tools

basic nonat question pix

 
 
mak
Guest
Posts: n/a
 
      09-06-2006
just wondering:

here's my interfaces:

dmz: 10.10.0.1/16
inside:192.168.1.1/24

sh nat
nat (dmz) 0 access-list no-nat
nat (inside) 0 access-list no-nat

one subnet on the dmz interface has access to inside lan, and vice versa

do I need a nonat statement in both directions?
e.g:
access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0


cheers,
m
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-06-2006
In article <edm1bh$cqm$(E-Mail Removed)>, mak <(E-Mail Removed)> wrote:
>here's my interfaces:


>dmz: 10.10.0.1/16
>inside:192.168.1.1/24


>sh nat
>nat (dmz) 0 access-list no-nat
>nat (inside) 0 access-list no-nat


>one subnet on the dmz interface has access to inside lan, and vice versa


>do I need a nonat statement in both directions?
>e.g:
>access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0


No, all you need is

access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
nat (inside) 0 access-list no-nat

In particular you do not need nat (dmz) 0 access-list no-nat .

Please recheck your no-nat ACL. You have specified your dmz as being
10.10.0.0/16 but your ACL is for 10.10.15.0/24 .
 
Reply With Quote
 
 
 
 
mak
Guest
Posts: n/a
 
      09-06-2006
Walter Roberson wrote:
> In article <edm1bh$cqm$(E-Mail Removed)>, mak <(E-Mail Removed)> wrote:
>> here's my interfaces:

>
>> dmz: 10.10.0.1/16
>> inside:192.168.1.1/24

>
>> sh nat
>> nat (dmz) 0 access-list no-nat
>> nat (inside) 0 access-list no-nat

>
>> one subnet on the dmz interface has access to inside lan, and vice versa

>
>> do I need a nonat statement in both directions?
>> e.g:
>> access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0

>
> No, all you need is
>
> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
> nat (inside) 0 access-list no-nat

ok, but why don't I need it?
has it to do with interface security levels?

> In particular you do not need nat (dmz) 0 access-list no-nat .
>
> Please recheck your no-nat ACL. You have specified your dmz as being
> 10.10.0.0/16 but your ACL is for 10.10.15.0/24 .


actually, this is on purpose, only 10.10.15.0/24 is not supposed to be nat'ed while coming to dmz,
the rest is not allowed into dmz anyway.
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-06-2006
In article <edmic6$int$(E-Mail Removed)>, mak <(E-Mail Removed)> wrote:
>Walter Roberson wrote:
>> In article <edm1bh$cqm$(E-Mail Removed)>, mak <(E-Mail Removed)> wrote:


>>> do I need a nonat statement in both directions?
>>> access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0


>> No, all you need is


>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
>> nat (inside) 0 access-list no-nat


>ok, but why don't I need it?
>has it to do with interface security levels?


The reversal is automatic: when you apply the no-nat ACL against the
inside interface, it adds a table entry with that source (192.168.1.0/24)
to the inside interface, and it adds table entries with that
destination (10.10.15.0/24) to each of the lower security interfaces
(or is it to all the other interfaces? I'd have to think about that.)
 
Reply With Quote
 
mak
Guest
Posts: n/a
 
      09-06-2006
Walter Roberson wrote:
> In article <edmic6$int$(E-Mail Removed)>, mak <(E-Mail Removed)> wrote:
>> Walter Roberson wrote:
>>> In article <edm1bh$cqm$(E-Mail Removed)>, mak <(E-Mail Removed)> wrote:

>
>>>> do I need a nonat statement in both directions?
>>>> access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0
>>>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0

>
>>> No, all you need is

>
>>> access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
>>> nat (inside) 0 access-list no-nat

>
>> ok, but why don't I need it?
>> has it to do with interface security levels?

>
> The reversal is automatic: when you apply the no-nat ACL against the
> inside interface, it adds a table entry with that source (192.168.1.0/24)
> to the inside interface, and it adds table entries with that
> destination (10.10.15.0/24) to each of the lower security interfaces
> (or is it to all the other interfaces? I'd have to think about that.)


that's what I suspected.
weird, since traffic is coming the other way and access-lists always apply to incoming traffic
i guess no-nat is different.

....anyway

thanks again for your excellent explanation,

m
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-06-2006
In article <edmjob$jbc$(E-Mail Removed)>, mak <(E-Mail Removed)> wrote:
>Walter Roberson wrote:


>> The reversal is automatic: when you apply the no-nat ACL against the
>> inside interface, it adds a table entry with that source (192.168.1.0/24)
>> to the inside interface, and it adds table entries with that
>> destination (10.10.15.0/24) to each of the lower security interfaces
>> (or is it to all the other interfaces? I'd have to think about that.)


>that's what I suspected.
>weird, since traffic is coming the other way and access-lists always
>apply to incoming traffic
>i guess no-nat is different.


Recall that access-lists used in crypto map match address are also
automatically reversed for incoming traffic. So too access-lists used
for split tunneling.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NoNat with errors on ASA 5505 lynxul Cisco 2 02-10-2009 07:50 AM
Need help with nonat evolution.of.rod@gmail.com Cisco 1 11-14-2005 06:02 PM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM
Cisco Pix Basic Config Pix wont route between inside int and outside help? AJ Cisco 2 10-31-2003 05:03 AM



Advertisments