Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Global & Nat issue

Hi all,

i have an issue using nat & global; i have the following config on my pix, running 6.3

nat (inside) 2 access-list ftp_clients

nat (inside) 5 access-list DomainControllers

nat (inside) 5 172.16.254.0 255.255.255.0

access-list ftp_clients permit any

access-list DomainControllers permit host 172.16.16.45

access-list DomainControllers permit host 172.16.16.46

access-list DomainControllers permit host 172.16.16.47

global (outside) 5 212.98.x.x

global (outside) 2 216.236.y.y

the thing is that the sh xlate output shows that the Domain COntrollers are using the Global 2, and not the Global 5, as seen below:

PAT Global 216.236.y.y(1041) Local 172.16.16.45(1053)

PAT Global 216.236.x.x(1032) Local 172.16.16.47(1047)

Any tips why this is so?

Thanks in advance.

4 REPLIES
Green

Re: Global & Nat issue

I believe it is because they are matching first on this access list assigned to global 2.

access-list ftp_clients permit any

Green

Re: Global & Nat issue

Try it this way...

nat (inside) 2 access-list DomainControllers

nat (inside) 2 172.16.254.0 255.255.255.0

nat (inside) 5 access-list ftp_clients

access-list DomainControllers permit host 172.16.16.45

access-list DomainControllers permit host 172.16.16.46

access-list DomainControllers permit host 172.16.16.47

access-list ftp_clients permit any

global (outside) 2 212.98.x.x

global (outside) 5 216.236.y.y

New Member

Re: Global & Nat issue

Hi guys,

i tried what you suggested, and it's still not working. is this a normal behavior?

any other tips please?

New Member

Re: Global & Nat issue

hello,

There is something wrong in your

nat (inside) 5 access-list ftp_clients

you do no match any Subnet of your inside interface.. Try 0.0.0.0 0.0.0.0 or the subnet you would like to nat.

Bye

221
Views
0
Helpful
4
Replies
CreatePlease to create content