PIx nat/global config

Unanswered Question
Apr 23rd, 2007

Does the below config allow (just from a NAT perspective)hosts on the 10.1.1.0 subnet to access servers on the 192.168.1.0 subnet?

It this NATing the FTP interface to the 10.1.1.10 address?

if so, would this over rule any access-list that was applied inbound to the FTP interface preventing anything from the 10.1.1.0 subnet?

global (ftp) 1 10.1.1.10

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

ip address inside 10.1.1.1 255.255.255.0

ip address ftp 192.168.1.1 255.255.255.0

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Frederick Reimer Mon, 04/23/2007 - 08:53

No, your global command should have an address in the 192.168.1.0 subnet. (It could have another address, if the next-hop router had a route to the address pointing towards the "ftp" interface address, but we won't confuse things here). You could use the interface address itself for PAT.

You can't NAT an interface address.

Access lists always take precedence.

wilson_1234_2 Tue, 04/24/2007 - 18:06

This are the actual configuration components below. The actual Interface is 192.168.204.1, but the global is 10.1.40.249.

If the interface already has an ip address,

What is the 10.1.40.249?

ip address inside 10.1.73.1 255.255.255.0

ip address ftp 192.168.204.1 255.255.255.0

global (outside) 1 interface

global (inside) 3 172.32.255.254

global (ftp) 1 10.1.40.249

nat (outside) 0 access-list nonatoutside outside

nat (outside) 3 access-list pefcu outside 0 0

nat (inside) 0 access-list NO_NAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Actions

This Discussion