I am trying to create a DMZ type environment between two internal networks using Cisco NAT. The below configuration is working to permit the two 'nat outside' interfaces to access the dmz 'nat inside' server via the 10.0.0.50 & 172.26.100.50 hide nat IP addresses. However the server (192.168.1.2) is not being nat'd when it accesses the other two devices.
I need this to bi-directionally nat in order to hide the 'nat inside' network. For instance, 10.0.0.2 is able to ping/telnet to 10.0.0.50 and access the 192.168.1.2 device and is successfully translated. However, when 192.168.1.2 telnets to 10.0.0.2 the traffic shows up with the original ip address and not the desired 10.0.0.50 address.
!
interface GigabitEthernet0/0
description insidetrusted
ip address 172.26.100.10 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/1
description dmz
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2
description outside
ip address 10.0.0.1 255.255.255.0
ip nat outside
!
!
ip nat inside source static 192.168.1.2 10.0.0.50 route-map netoutside
ip nat inside source static 192.168.1.2 172.26.100.50 route-map netinside
!
route-map netoutside permit 10
match ip address 101
match interface GigabitEthernet0/2
!
route-map netinside permit 10
match ip address 100
match interface GigabitEthernet0/0
!
Resources I've used in my research:
The source of the problem was the 'log' keyword at the end of my ACL's.
According to Cisco, you should never use 'log' with NAT ACLs. The observed behavior was that the traffic would be properly NAT'd in one direction, but in the other the NAT would not be applied.
The corrected ACL's are: