04-23-2007 06:33 AM - edited 03-11-2019 03:02 AM
Does the below config allow (just from a NAT perspective)hosts on the 10.1.1.0 subnet to access servers on the 192.168.1.0 subnet?
It this NATing the FTP interface to the 10.1.1.10 address?
if so, would this over rule any access-list that was applied inbound to the FTP interface preventing anything from the 10.1.1.0 subnet?
global (ftp) 1 10.1.1.10
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
ip address inside 10.1.1.1 255.255.255.0
ip address ftp 192.168.1.1 255.255.255.0
04-23-2007 08:53 AM
No, your global command should have an address in the 192.168.1.0 subnet. (It could have another address, if the next-hop router had a route to the address pointing towards the "ftp" interface address, but we won't confuse things here). You could use the interface address itself for PAT.
You can't NAT an interface address.
Access lists always take precedence.
04-24-2007 06:06 PM
This are the actual configuration components below. The actual Interface is 192.168.204.1, but the global is 10.1.40.249.
If the interface already has an ip address,
What is the 10.1.40.249?
ip address inside 10.1.73.1 255.255.255.0
ip address ftp 192.168.204.1 255.255.255.0
global (outside) 1 interface
global (inside) 3 172.32.255.254
global (ftp) 1 10.1.40.249
nat (outside) 0 access-list nonatoutside outside
nat (outside) 3 access-list pefcu outside 0 0
nat (inside) 0 access-list NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: