cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3372
Views
0
Helpful
14
Replies

Nat 0 command

estelamathew
Level 2
Level 2

Dears,

I have a ADSL router ahead of my firewall OUTSIDE INTERFACE and ADSL is doing natting for the users who are going to the internet ,i want to disable natting for internal users on my firewall, As if now i have a INTRANET connectivity from my DMZ interface to my rest branches i cannot disable nat-control,I have static natting for my internal servers which are been accessed from branch offices through INTRANET link.

When i specify access-list  for full internal subnet.

access-list no-nat permit 10.10.0.0 255.25.0.0

nat (inside) 0 permit access-list exempt

IT GIVESME THE BELOW OUTPUT:

pix#(config)# nat (inside) 0 access-list exempt
ERROR: Cannot mix different types of access lists
ERROR: Access-list "exempt" does not exist

Usage: [no] nat (<if_name>) <nat_id> <local_ip> [<mask>]
                [dns] [outside]
                [[tcp] <max_conns> [<emb_limit> [<norandomseq>]]]
                [udp <udp_max_conns>]
        [no] nat (if_name) <nat_id> access-list <acl-name>
                [dns] [outside]
                [[tcp] <max_conns> [<emb_limit> [<norandomseq>]]]
                [udp <udp_max_conns>]

I thought that the IP which i m using for static natting are getting mixup with nat exempt so i tried with different subnet which is not in my network but still gives me the same error.

How i can achieve the above senario can i specify more than 1 acces-list for nat 0, by exempting the  ip address which i m using for static Natting

Thanks

14 Replies 14

Kelvin Willacey
Level 4
Level 4

I think your syntax is wrong and your ACL does not exist. The syntax is

nat (inside) 0 access-list no-nat

Dear,

It is typing mistake by me in previous mail i have specified proper access-list , still i get the same error.

Estela,

You're indeed having an error with the syntax.

Could you post the output of the following commands to show you the errors?

sh run nat

sh run access-list

Federico.

Dear,

PIX(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list DMZ; 3 elements
access-list DMZ line 1 extended permit icmp host 2.2.2.2 host 10.146.1.1 (hitcnt
=1) 0xa3c5bf6e
access-list DMZ line 2 extended permit tcp any host 10.146.1.2 eq telnet (hitcnt
=1) 0xfcc3c7a0
access-list DMZ line 3 extended permit icmp any any (hitcnt=1) 0x15d4b4de
access-list no-nat; 1 elements
access-list no-nat line 1 standard permit host 192.168.1.5 (hitcnt=0) 0xd26fb7b7


PIX(config)# sh run nat
nat (inside) 1 0.0.0.0 0.0.0.0

Is it so that in NAT 0 only extended access-list is used?????

At present i m specifying only 1 host address that is to be exempted how i can achieve by excluding the host address which are statically natted at DMZ interface.

Can i specify 2 NAT 0 statement.with 2 different access-list

Do you have internal users accessing the DMZ?

Do you want the exempt from the internal users to the DMZ and outside?

Can you provide a "show run"

Dear ,

Topology.

Inside-------outside---------ADSL----------Internet

          |

          |

       DMZ

Do you have internal users accessing the DMZ?

Yes

Do you want the exempt from the internal users to the DMZ and outside?

i need the internal users accessing the internet through the firewall outside interface should be exempted by nat becz my ADSL router which is connected to outside on firewall is doing natting, instead of doing double natting i can do single natting on ADSL router.

hostname PIX-1
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
description outside
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.3
!
interface Ethernet1
description inside
nameif inside
security-level 100
ip address 192.168.1.6 255.255.255.0 standby 192.168.1.7
!
interface Ethernet2
description dmz
nameif DMZ
security-level 50
ip address 10.146.254.2 255.255.255.248 standby 10.146.254.3
!
interface Ethernet3
no nameif
no security-level
no ip address
!
interface Ethernet4
description LAN Failover Interface
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list DMZ extended permit icmp host 2.2.2.2 host 10.146.1.1
access-list DMZ extended permit tcp any host 10.146.1.2 eq telnet
access-list no-nat standard permit host 192.168.1.5 ------------------------> This IP is the of switch which is connected to inside interface of firewall
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
failover
failover lan unit primary
failover lan interface LAN Ethernet4
failover interface ip LAN 192.168.2.6 255.255.255.0 standby 192.168.2.7
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,DMZ) 10.146.1.1 10.146.10.2 netmask 255.255.255.255
static (inside,DMZ) 10.146.1.2 10.146.10.1 netmask 255.255.255.255
access-group DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
route inside 10.146.10.0 255.255.255.0 192.168.1.5 1
route DMZ 2.2.2.2 255.255.255.255 10.146.254.1 1
route DMZ 10.147.254.0 255.255.255.0 10.146.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:0
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.146.10.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1b70b59c4a8323d1b67afed38eefcfa3
: end

OK in that case all you need to do is the following:

no global (outside) 1 interface

no nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 0 0.0.0.0 0.0.0.0

If you need the dmz to be natted on the adsl router you need to apply similar commands.

Dear

I appreciate ur replies but some confusion please corrrect me, i think my question is not clear or some misunderstanding.

MY GOAL:

I m securing my branch users to access my internal Network (A) by giving access to specific servers which are statically natted as u can see in configuration, and giving users of Network (A) to be exempted from the nat moving towards ADSL router towards internet

I need internal users to go on my branches through DMZ interface,ON my DMZ interface , router is connected which is connecting to ISP for my other branches if i execute nat (inside) 0 0.0.0.0 0.0.0.0 then will i will be able to go on my branches,?????? definately NO, where is the nattting from inside to DMZ???

at present my configs are below to go from inside to DMZ.

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 interface

You say you want to allow your internal users to be natted on the adsl one of the ways to do that is as I have mentioned before, this will allow the actual IP address of the users to be seen on the ADSL router:

no global (outside) 1 interface

no nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 0 0.0.0.0 0.0.0.0

If you want internal users to be untranslated going to the branches that are off the DMZ then you can either do:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside,dmz) 10.146.10.0 10.146.10.0 netmask 255.255.255.0

or

access-list no-nat extended permit 192.168.1.0 255.255.255.0

access-list no-nat extended permit 10.146.10.0 255.255.255.0

nat (inside) 0 access-list no-nat

You will also need an ACL on the DMZ interface to ensure that the traffic you want is allowed.

Dear,

Thanks for ur support nd pateints

Topology:

Netowrk-A----------Core-Switch-----------inside----------outside----------ADSL

                                                                                      |

                                                                                      |

                                                                                  DMZ

                                                                                     |

                                                                                     |

                                                                                 Router

I want only Netwrok A users untranslated going to ADSL ,they should be translated when they go to branch routers,

i want the below commands intact becz the subnet between the DMZ and router is known by each and every branch site so whenever Network A users go to branch they will always pick the address of the DMZ interface which is known by every branch, (ISP has redistributed connected interface)

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 interface

Can u provide me with the solution with the above command intact.(no change).

I don't know what the address of "network A" is but if all you want to do is allow that one network to be untranslated going outside then you can try the following without removing anything:

nat (inside) 0 192.168.1.0 255.255.255.0

or

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Dear,

Yes ! i think it is clear view for u now i will tell u what the problem is: In my network A i have many subnets for 10.146.0.0 for example 10.146.10.0 and 10.146.20.0 etc,

what i m thinking is

access-list no-nat extended permit 10.146.0.0 255.255.0.0 any

nat (inside) 0 access-list no-nat

Oooh do the above command will afffect to DMZ interface also ????? Also i have statically natted some of the Network A IP's. that branch will come from DMZ to access IN

static (inside,DMZ) 10.146.1.1 10.146.10.2 netmask 255.255.255.255
static (inside,DMZ) 10.146.1.2 10.146.10.1 netmask 255.255.255.255

Yes there is a NAT order of operation, so using nat 0 access list may over ride your static nat statments. Please see link below

https://supportforums.cisco.com/docs/DOC-4284;jsessionid=893EDF27EF9C9954533D709CBB180B42.node0

Dear,

From ur second last mail : u have mentioned below soultion:

YOUR SOLUTION:

nat (inside) 0 192.168.1.0 255.255.255.0

or

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

These IP 192.168.1.0 255.255.255.0 will also be exempted from translating when going through DMZ interface to the branche. AM i correct????

If so then what is the solution to translate on DMZ side and not to translate on ADSL side????????????????????????????

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: