no nat-control , masq inside-outside stop extranet<->inside flow

Unanswered Question
Apr 8th, 2008
User Badges:

in the follow configuration with "no nat-control" the bi-directiona traffic between extranet and inside is stopped only when i create a new masq inside to outside .

Is this behaviour correct ?

When the traffic is stopped the log are the follow: %PIX-3-305006: portmap translation creation failed for tcp src inside: dst extranet:

Acl permission int. extranet :

permit ip from to inside

permit telnet from to internet

access-list np-itf-extranet-in extended permit ip

access-list np-itf-extranet-in extended permit tcp host gt 1023 any eq telnet

access-list np-itf-extranet-in extended deny ip any any

Acl permission from int. inside

Permit IP inside to

Permit telnet inside to internet

access-list np-itf-inside-in extended permit ip

access-list np-itf-inside-in extended permit tcp gt 1023 any eq telnet

access-list np-itf-inside-in extended deny ip any any

For outside:

access-list np-itf-outside-in extended deny ip any any

MASQ from to internet:

access-list np-nat1000-extranetDynamicNat extended permit ip any

global (outside) 1000 interface

nat (extranet) 1000 access-list np-nat1000-extranetDynamicNat

access-group np-itf-outside-in in interface outside

access-group np-itf-inside-in in interface inside

access-group np-itf-extranet-in in interface extranet

route extranet 1

Now , when i create a MASQ from INSIDE to INTERNET with the nat commands:

access-list np-nat1000-insideDynamicNat extended permit ip any

nat (inside) 1000 access-list np-nat1000-insideDynamicNat

global (outside) 1000 interface

the traffic stop to flow from inside host to extranet host

Interface conf

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address x.y.z.w


interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address


interface Ethernet2

speed 100

duplex full

nameif dmz0

security-level 60

ip address


interface Ethernet3

speed 100

duplex full

no nameif

no security-level

no ip address


interface Ethernet3.102

vlan 102

nameif WiFiRed

security-level 80

ip address


interface Ethernet3.301

vlan 301

nameif BPVR

security-level 70

ip address


interface Ethernet3.302

vlan 302

nameif OVERnet

security-level 10

ip address a.b.c.d


interface Ethernet3.500

vlan 500

nameif extra-lanfail

security-level 20

ip address


interface Ethernet4

speed 100

duplex full

nameif rupa

security-level 30

ip address e.f.g.h


interface Ethernet5

speed 100

duplex full

nameif extranet

security-level 40

ip address


interface GigabitEthernet0


nameif intf6

security-level 12

no ip address

thanks in advance:


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion