PAT with ACL not working

Unanswered Question
Sep 30th, 2009

nat (inside) 0 access-list nonat

nat (inside) 3 access-list out-nat 0 0

nat (inside) 1 access-list dmz-nat 0 0

global (outside) 3 interface

global (dmz) 1

access-list out-nat permit ip host lab_pc1 any

access-list out-nat permit ip host lab_pc2 any

access-list dmz-nat line 2 permit ip INT_LAN_1 host dmzftp-int -- (lan_pc1 and lab_pc2 are covered in this subnet)

User from lab_pc1 and lab_pc2 unable to access Ftp server in DMZ, but users from other PCs on same subnet can access this. Both users can access the FTP server if remove above statement from the Out-nat ACL. I cant remove because, they need to access internet. I am unable to trace why they can't access the DMZ FTP server.

Thanks in Advace

Venkatesh Bhat

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

try adding a line in the acl dmz-nat with the source mentioning the hosts e.g.

access-list dmz-nat permit ip host lab_pc1 host dmzftp-int

access-list dmz-nat permit ip host lab_pc2 host dmzftp-int

it seems as the acl out-nat is having a more specific match with the source hosts mentioned specifically its getting prioritized...

just try this and confirm...

Venkatesha Bhat Thu, 10/01/2009 - 00:16


I tried this and no luck. All the hits are going to the out-nat ACL.



whats ur hardware and software version.

also whats the sh xlate command showing and whats the xlate timeout.

hope the routes are fine for the dmz servers.

another try remove the nat configs and the the acls and apply the nat (inside) 1 and nat (inside) 3 and the respective global commands and acls sequentially lets see what happens....just a guess...

Venkatesha Bhat Thu, 10/01/2009 - 06:04

we could not do the Nonat earlier due the PASV setting on the FTP server. Now we have changed the ftp server setting and did the nonat and all works (That worked before too and issue PASV FTP). I still trying to find why the PAT did not work. We use PIX 515E and 6.3.5.

Thanks for all the input.


Venkatesh Bhat


This Discussion