09-30-2009 05:18 AM - edited 03-11-2019 09:21 AM
nat (inside) 0 access-list nonat
nat (inside) 3 access-list out-nat 0 0
nat (inside) 1 access-list dmz-nat 0 0
global (outside) 3 interface
global (dmz) 1 192.168.2.4
access-list out-nat permit ip host lab_pc1 any
access-list out-nat permit ip host lab_pc2 any
access-list dmz-nat line 2 permit ip INT_LAN_1 255.255.255.0 host dmzftp-int -- (lan_pc1 and lab_pc2 are covered in this subnet)
User from lab_pc1 and lab_pc2 unable to access Ftp server in DMZ, but users from other PCs on same subnet can access this. Both users can access the FTP server if remove above statement from the Out-nat ACL. I cant remove because, they need to access internet. I am unable to trace why they can't access the DMZ FTP server.
Thanks in Advace
Venkatesh Bhat
09-30-2009 07:45 AM
try adding a line in the acl dmz-nat with the source mentioning the hosts e.g.
access-list dmz-nat permit ip host lab_pc1 host dmzftp-int
access-list dmz-nat permit ip host lab_pc2 host dmzftp-int
it seems as the acl out-nat is having a more specific match with the source hosts mentioned specifically its getting prioritized...
just try this and confirm...
10-01-2009 12:16 AM
Hi
I tried this and no luck. All the hits are going to the out-nat ACL.
Regards,
Venky
10-01-2009 04:04 AM
whats ur hardware and software version.
also whats the sh xlate command showing and whats the xlate timeout.
hope the routes are fine for the dmz servers.
another try remove the nat configs and the the acls and apply the nat (inside) 1 and nat (inside) 3 and the respective global commands and acls sequentially lets see what happens....just a guess...
10-01-2009 04:48 AM
hi, please try this one
access-list nonat permit ip host lab_pc1 host dmzftp-int
access-list nonat permit ip host lab_pc2 host dmzftp-int
10-01-2009 04:49 AM
i doubt whether there is a no nat requirement as the firewall is configured to NAT traffic from inside to dmz....
10-01-2009 06:04 AM
we could not do the Nonat earlier due the PASV setting on the FTP server. Now we have changed the ftp server setting and did the nonat and all works (That worked before too and issue PASV FTP). I still trying to find why the PAT did not work. We use PIX 515E and 6.3.5.
Thanks for all the input.
Regards,
Venkatesh Bhat
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: