just wondering:
here's my interfaces:
dmz: 10.10.0.1/16 inside:192.168.1.1/24
sh nat nat (dmz) 0 access-list no-nat nat (inside) 0 access-list no-nat
one subnet on the dmz interface has access to inside lan, and vice versa
do I need a nonat statement in both directions? e.g: access-list no-nat permit ip 10.10.15.0 5 255.255.255.0 192.168.1.0 255.255.255.0 access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
cheers, m
No, all you need is
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0 nat (inside) 0 access-list no-nat
In particular you do not need nat (dmz) 0 access-list no-nat .
Please recheck your no-nat ACL. You have specified your dmz as being
10.10.0.0/16 but your ACL is for 10.10.15.0/24 .
ok, but why don't I need it? has it to do with interface security levels?
actually, this is on purpose, only 10.10.15.0/24 is not supposed to be nat'ed while coming to dmz, the rest is not allowed into dmz anyway.
The reversal is automatic: when you apply the no-nat ACL against the inside interface, it adds a table entry with that source (192.168.1.0/24) to the inside interface, and it adds table entries with that destination (10.10.15.0/24) to each of the lower security interfaces (or is it to all the other interfaces? I'd have to think about that.)
that's what I suspected. weird, since traffic is coming the other way and access-lists always apply to incoming traffic i guess no-nat is different.
...anyway
thanks again for your excellent explanation,
m
Recall that access-lists used in crypto map match address are also automatically reversed for incoming traffic. So too access-lists used for split tunneling.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.