cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
519
Views
0
Helpful
4
Replies

Conflicting NAT definition and translate table entries

mphadnis
Level 1
Level 1

Hi,

I am facing a peculiar NAT situation on a Pix with multiple interfaces, config below-

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security10

nameif ethernet3 dmz2 security40

nat (inside) 1 10.0.1.0 255.255.255.0

nat (dmz1) 1 192.168.17.0 255.255.255.0

nat (dmz1) 1 192.168.17.0 255.255.255.0 outside

global (dmz1) 1 192.168.17.2

global (outside) 1 64.0.0.1

global (dmz2) 1 172.17.0.1

Not my config, but faced with this situation, does the config prevent Inside hosts to DMZ1 server communication?

Thanks in advance.

4 Replies 4

hoogen_82
Level 4
Level 4

I would say this should work. By default higher security to lower security level communication you only need your nat enabled. Nothing more. Only from lower to higher you need nat as well as access-list.

Why have you used this statement nat (dmz1) 1 192.168.17.0 255.255.255.0 outside

You could do without it.

-Hoogen

Hi Hoogen,

I am only analyzing the existing configuration and not designing one. Inside to DMZ1 traffic does not work with this configuration and I am trying to understand why.

The statement 'nat (dmz1) 1 192.168.17.0 255.255.255.0 outside' is inserted because DMZ2 is at an higher security level than DMZ1.

The issue I faced is that - Inside to DMZ1 communication works only when the above statement is removed. The error seen is 305006:No translation defined.

Apparently, this is because, a low-to-high global NAT definition has to be defined for all low-to-high interfaces or none at all. Am I understanding this right?

I would like to know if someone has seen this before and whether this is a bug that has been/ needs to be addressed.

Thanks and Regards,

Mahesh

That statement is not required, for traffic flowing from DMZ1 to DMZ2 you have already configured the nat statement and also the global statement, you don't need this statement.

Is there anything else that is problematic do let us know.

-Hoogen

Oh! I thought when defining NAT on a lower security interface (dmz1) and a matching Global on a higher security interface (dmz2), outside NAT is compulsory.

Regards,

Mahesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: