no nat-control , masq inside-outside stop extranet<->inside flow

Unanswered Question
Apr 8th, 2008

in the follow configuration with "no nat-control" the bi-directiona traffic between extranet and inside is stopped only when i create a new masq inside to outside .

Is this behaviour correct ?

When the traffic is stopped the log are the follow:

172.31.224.254 %PIX-3-305006: portmap translation creation failed for tcp src inside:10.1.77.77/14965 dst extranet:172.29.49.251/80

Acl permission int. extranet :

permit ip from 172.29.49.0 to inside

permit telnet from 172.31.253.251 to internet

access-list np-itf-extranet-in extended permit ip 172.29.49.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list np-itf-extranet-in extended permit tcp host 172.31.253.251 gt 1023 any eq telnet

access-list np-itf-extranet-in extended deny ip any any

Acl permission from int. inside

Permit IP inside to 172.29.49.0

Permit telnet inside to internet

access-list np-itf-inside-in extended permit ip 10.1.0.0 255.255.0.0 172.29.49.0 255.255.255.0

access-list np-itf-inside-in extended permit tcp 10.1.0.0 255.255.0.0 gt 1023 any eq telnet

access-list np-itf-inside-in extended deny ip any any

For outside:

access-list np-itf-outside-in extended deny ip any any

MASQ from 172.29.49.0 to internet:

access-list np-nat1000-extranetDynamicNat extended permit ip 172.29.49.0 255.255.255.0 any

global (outside) 1000 interface

nat (extranet) 1000 access-list np-nat1000-extranetDynamicNat

access-group np-itf-outside-in in interface outside

access-group np-itf-inside-in in interface inside

access-group np-itf-extranet-in in interface extranet

route extranet 172.29.49.0 255.255.255.0 172.31.224.222 1

Now , when i create a MASQ from INSIDE to INTERNET with the nat commands:

access-list np-nat1000-insideDynamicNat extended permit ip 10.1.0.0 255.255.0.0 any

nat (inside) 1000 access-list np-nat1000-insideDynamicNat

global (outside) 1000 interface

the traffic stop to flow from inside host 10.1.77.77 to extranet host 172.29.49.251

Interface conf

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address x.y.z.w 255.255.254.0

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.1.127.252 255.255.0.0

!

interface Ethernet2

speed 100

duplex full

nameif dmz0

security-level 60

ip address 192.168.150.252 255.255.255.0

!

interface Ethernet3

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet3.102

vlan 102

nameif WiFiRed

security-level 80

ip address 172.31.128.254 255.255.255.0

!

interface Ethernet3.301

vlan 301

nameif BPVR

security-level 70

ip address 172.31.145.252 255.255.255.0

!

interface Ethernet3.302

vlan 302

nameif OVERnet

security-level 10

ip address a.b.c.d 255.255.255.128

!

interface Ethernet3.500

vlan 500

nameif extra-lanfail

security-level 20

ip address 192.168.163.252 255.255.255.0

!

interface Ethernet4

speed 100

duplex full

nameif rupa

security-level 30

ip address e.f.g.h 255.255.255.224

!

interface Ethernet5

speed 100

duplex full

nameif extranet

security-level 40

ip address 172.31.224.254 255.255.224.0

!

interface GigabitEthernet0

shutdown

nameif intf6

security-level 12

no ip address

thanks in advance:

Roberto

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion