> I've been fighting this problem for two weeks now. What follows is the
> current config (edited to protect the innocent). If format is maintained,
> the trouble lines will be bolded. These trouble lines are: access-list nonat
> permit ip any any; nat (inside) 0 access-list nonat; access-group nonat in
> interface dmz.

[lots of deletia]

Here's a couple of ideas and recommendations that may help.
First, I don't recommend using the same acl for the "access-group" and
"nat (interface) 0 ..." purposes; keep those acl's separate and things
are cleaner.

Second, I recommend applying an acl to every interface with
"access-group". That way no access is implied by security levels;
everything's explicit. Your mileage and tastes may vary.

Third, if you need non-natted access between some pair of
interfaces (say, inside and DMZ), then write a nonat acl for the
interface with the higher security level, permitting all ip from the
higher-security level subnet (source) to the lower-security level subnet
(destination). Note that it doesn't matter whether the packets and
connections are sourced from the higher or lower interface... for nat
purposes the higher security interface is written as source by

So try something like this: (untested) (pardon the long line)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
ip address outside
ip address inside
ip address DMZ
access-list acl_inbound
access-list acl_dmz
access-list acl_inside
access-group acl_inbound in interface outside
access-group acl_dmz in interface DMZ
access-group acl_inside in interface inside
access-list acl_nonat_inside permit ip
nat (inside) 0 access-list acl_nonat_inside

Traffic that matches acl_nonat_inside (i.e. traffic between
inside and DMZ) will go un-natted; all other traffic (including Internet
traffic) will be natted.


firewall-wizards mailing list