Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Conflicting NAT definition and translate table entries

Hi,

I am facing a peculiar NAT situation on a Pix with multiple interfaces, config below-

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security10

nameif ethernet3 dmz2 security40

nat (inside) 1 10.0.1.0 255.255.255.0

nat (dmz1) 1 192.168.17.0 255.255.255.0

nat (dmz1) 1 192.168.17.0 255.255.255.0 outside

global (dmz1) 1 192.168.17.2

global (outside) 1 64.0.0.1

global (dmz2) 1 172.17.0.1

Not my config, but faced with this situation, does the config prevent Inside hosts to DMZ1 server communication?

Thanks in advance.

4 REPLIES
Silver

Re: Conflicting NAT definition and translate table entries

I would say this should work. By default higher security to lower security level communication you only need your nat enabled. Nothing more. Only from lower to higher you need nat as well as access-list.

Why have you used this statement nat (dmz1) 1 192.168.17.0 255.255.255.0 outside

You could do without it.

-Hoogen

New Member

Re: Conflicting NAT definition and translate table entries

Hi Hoogen,

I am only analyzing the existing configuration and not designing one. Inside to DMZ1 traffic does not work with this configuration and I am trying to understand why.

The statement 'nat (dmz1) 1 192.168.17.0 255.255.255.0 outside' is inserted because DMZ2 is at an higher security level than DMZ1.

The issue I faced is that - Inside to DMZ1 communication works only when the above statement is removed. The error seen is 305006:No translation defined.

Apparently, this is because, a low-to-high global NAT definition has to be defined for all low-to-high interfaces or none at all. Am I understanding this right?

I would like to know if someone has seen this before and whether this is a bug that has been/ needs to be addressed.

Thanks and Regards,

Mahesh

Silver

Re: Conflicting NAT definition and translate table entries

That statement is not required, for traffic flowing from DMZ1 to DMZ2 you have already configured the nat statement and also the global statement, you don't need this statement.

Is there anything else that is problematic do let us know.

-Hoogen

New Member

Re: Conflicting NAT definition and translate table entries

Oh! I thought when defining NAT on a lower security interface (dmz1) and a matching Global on a higher security interface (dmz2), outside NAT is compulsory.

Regards,

Mahesh

163
Views
0
Helpful
4
Replies
CreatePlease to create content