Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
6
Replies

PAT with ACL not working

Venkatesha Bhat
Level 1
Level 1

‎09-30-2009 05:18 AM - edited ‎03-11-2019 09:21 AM

nat (inside) 0 access-list nonat

nat (inside) 3 access-list out-nat 0 0

nat (inside) 1 access-list dmz-nat 0 0

global (outside) 3 interface

global (dmz) 1 192.168.2.4

access-list out-nat permit ip host lab_pc1 any

access-list out-nat permit ip host lab_pc2 any

access-list dmz-nat line 2 permit ip INT_LAN_1 255.255.255.0 host dmzftp-int -- (lan_pc1 and lab_pc2 are covered in this subnet)

User from lab_pc1 and lab_pc2 unable to access Ftp server in DMZ, but users from other PCs on same subnet can access this. Both users can access the FTP server if remove above statement from the Out-nat ACL. I cant remove because, they need to access internet. I am unable to trace why they can't access the DMZ FTP server.

Thanks in Advace

Venkatesh Bhat

Labels:
0 Helpful
6 Replies 6

indra
Level 1
Level 1

‎09-30-2009 07:45 AM

try adding a line in the acl dmz-nat with the source mentioning the hosts e.g.

access-list dmz-nat permit ip host lab_pc1 host dmzftp-int

access-list dmz-nat permit ip host lab_pc2 host dmzftp-int

it seems as the acl out-nat is having a more specific match with the source hosts mentioned specifically its getting prioritized...

just try this and confirm...

0 Helpful

Venkatesha Bhat
Level 1
Level 1
In response to indra

‎10-01-2009 12:16 AM

Hi

I tried this and no luck. All the hits are going to the out-nat ACL.

Regards,

Venky

0 Helpful

indra
Level 1
Level 1
In response to Venkatesha Bhat

‎10-01-2009 04:04 AM

whats ur hardware and software version.

also whats the sh xlate command showing and whats the xlate timeout.

hope the routes are fine for the dmz servers.

another try remove the nat configs and the the acls and apply the nat (inside) 1 and nat (inside) 3 and the respective global commands and acls sequentially lets see what happens....just a guess...

0 Helpful

kumar
Level 1
Level 1
In response to indra

‎10-01-2009 04:48 AM

hi, please try this one

access-list nonat permit ip host lab_pc1 host dmzftp-int

access-list nonat permit ip host lab_pc2 host dmzftp-int

0 Helpful

indra
Level 1
Level 1
In response to kumar

‎10-01-2009 04:49 AM

i doubt whether there is a no nat requirement as the firewall is configured to NAT traffic from inside to dmz....

0 Helpful

Venkatesha Bhat
Level 1
Level 1
In response to indra

‎10-01-2009 06:04 AM

we could not do the Nonat earlier due the PASV setting on the FTP server. Now we have changed the ftp server setting and did the nonat and all works (That worked before too and issue PASV FTP). I still trying to find why the PAT did not work. We use PIX 515E and 6.3.5.

Thanks for all the input.

Regards,

Venkatesh Bhat

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card