04-08-2008 06:49 AM - edited 03-11-2019 05:28 AM
in the follow configuration with "no nat-control" the bi-directiona traffic between extranet and inside is stopped only when i create a new masq inside to outside .
Is this behaviour correct ?
When the traffic is stopped the log are the follow:
172.31.224.254 %PIX-3-305006: portmap translation creation failed for tcp src inside:10.1.77.77/14965 dst extranet:172.29.49.251/80
Acl permission int. extranet :
permit ip from 172.29.49.0 to inside
permit telnet from 172.31.253.251 to internet
access-list np-itf-extranet-in extended permit ip 172.29.49.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list np-itf-extranet-in extended permit tcp host 172.31.253.251 gt 1023 any eq telnet
access-list np-itf-extranet-in extended deny ip any any
Acl permission from int. inside
Permit IP inside to 172.29.49.0
Permit telnet inside to internet
access-list np-itf-inside-in extended permit ip 10.1.0.0 255.255.0.0 172.29.49.0 255.255.255.0
access-list np-itf-inside-in extended permit tcp 10.1.0.0 255.255.0.0 gt 1023 any eq telnet
access-list np-itf-inside-in extended deny ip any any
For outside:
access-list np-itf-outside-in extended deny ip any any
MASQ from 172.29.49.0 to internet:
access-list np-nat1000-extranetDynamicNat extended permit ip 172.29.49.0 255.255.255.0 any
global (outside) 1000 interface
nat (extranet) 1000 access-list np-nat1000-extranetDynamicNat
access-group np-itf-outside-in in interface outside
access-group np-itf-inside-in in interface inside
access-group np-itf-extranet-in in interface extranet
route extranet 172.29.49.0 255.255.255.0 172.31.224.222 1
Now , when i create a MASQ from INSIDE to INTERNET with the nat commands:
access-list np-nat1000-insideDynamicNat extended permit ip 10.1.0.0 255.255.0.0 any
nat (inside) 1000 access-list np-nat1000-insideDynamicNat
global (outside) 1000 interface
the traffic stop to flow from inside host 10.1.77.77 to extranet host 172.29.49.251
Interface conf
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address x.y.z.w 255.255.254.0
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.127.252 255.255.0.0
!
interface Ethernet2
speed 100
duplex full
nameif dmz0
security-level 60
ip address 192.168.150.252 255.255.255.0
!
interface Ethernet3
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet3.102
vlan 102
nameif WiFiRed
security-level 80
ip address 172.31.128.254 255.255.255.0
!
interface Ethernet3.301
vlan 301
nameif BPVR
security-level 70
ip address 172.31.145.252 255.255.255.0
!
interface Ethernet3.302
vlan 302
nameif OVERnet
security-level 10
ip address a.b.c.d 255.255.255.128
!
interface Ethernet3.500
vlan 500
nameif extra-lanfail
security-level 20
ip address 192.168.163.252 255.255.255.0
!
interface Ethernet4
speed 100
duplex full
nameif rupa
security-level 30
ip address e.f.g.h 255.255.255.224
!
interface Ethernet5
speed 100
duplex full
nameif extranet
security-level 40
ip address 172.31.224.254 255.255.224.0
!
interface GigabitEthernet0
shutdown
nameif intf6
security-level 12
no ip address
thanks in advance:
Roberto
04-08-2008 06:53 AM
PIX Version 7.1(2)
Roberto
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide