Global & Nat issue

m-mneimneh · ‎10-23-2007

Hi all,

i have an issue using nat & global; i have the following config on my pix, running 6.3

nat (inside) 2 access-list ftp_clients

nat (inside) 5 access-list DomainControllers

nat (inside) 5 172.16.254.0 255.255.255.0

access-list ftp_clients permit any

access-list DomainControllers permit host 172.16.16.45

access-list DomainControllers permit host 172.16.16.46

access-list DomainControllers permit host 172.16.16.47

global (outside) 5 212.98.x.x

global (outside) 2 216.236.y.y

the thing is that the sh xlate output shows that the Domain COntrollers are using the Global 2, and not the Global 5, as seen below:

PAT Global 216.236.y.y(1041) Local 172.16.16.45(1053)

PAT Global 216.236.x.x(1032) Local 172.16.16.47(1047)

Any tips why this is so?

Thanks in advance.

acomiskey · ‎10-23-2007

I believe it is because they are matching first on this access list assigned to global 2.

access-list ftp_clients permit any

acomiskey · ‎10-23-2007

Try it this way...

nat (inside) 2 access-list DomainControllers

nat (inside) 2 172.16.254.0 255.255.255.0

nat (inside) 5 access-list ftp_clients

access-list DomainControllers permit host 172.16.16.45

access-list DomainControllers permit host 172.16.16.46

access-list DomainControllers permit host 172.16.16.47

access-list ftp_clients permit any

global (outside) 2 212.98.x.x

global (outside) 5 216.236.y.y

m-mneimneh · ‎10-26-2007

Hi guys,

i tried what you suggested, and it's still not working. is this a normal behavior?

any other tips please?

fargier · ‎10-29-2007

hello,

There is something wrong in your

nat (inside) 5 access-list ftp_clients

you do no match any Subnet of your inside interface.. Try 0.0.0.0 0.0.0.0 or the subnet you would like to nat.

Bye