cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
306
Views
5
Helpful
2
Replies

PIx nat/global config

wilson_1234_2
Level 3
Level 3

Does the below config allow (just from a NAT perspective)hosts on the 10.1.1.0 subnet to access servers on the 192.168.1.0 subnet?

It this NATing the FTP interface to the 10.1.1.10 address?

if so, would this over rule any access-list that was applied inbound to the FTP interface preventing anything from the 10.1.1.0 subnet?

global (ftp) 1 10.1.1.10

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

ip address inside 10.1.1.1 255.255.255.0

ip address ftp 192.168.1.1 255.255.255.0

2 Replies 2

No, your global command should have an address in the 192.168.1.0 subnet. (It could have another address, if the next-hop router had a route to the address pointing towards the "ftp" interface address, but we won't confuse things here). You could use the interface address itself for PAT.

You can't NAT an interface address.

Access lists always take precedence.

This are the actual configuration components below. The actual Interface is 192.168.204.1, but the global is 10.1.40.249.

If the interface already has an ip address,

What is the 10.1.40.249?

ip address inside 10.1.73.1 255.255.255.0

ip address ftp 192.168.204.1 255.255.255.0

global (outside) 1 interface

global (inside) 3 172.32.255.254

global (ftp) 1 10.1.40.249

nat (outside) 0 access-list nonatoutside outside

nat (outside) 3 access-list pefcu outside 0 0

nat (inside) 0 access-list NO_NAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: