Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

no nat-control , masq inside-outside stop extranet<->inside flow

in the follow configuration with "no nat-control" the bi-directiona traffic between extranet and inside is stopped only when i create a new masq inside to outside .

Is this behaviour correct ?

When the traffic is stopped the log are the follow:

172.31.224.254 %PIX-3-305006: portmap translation creation failed for tcp src inside:10.1.77.77/14965 dst extranet:172.29.49.251/80

Acl permission int. extranet :

permit ip from 172.29.49.0 to inside

permit telnet from 172.31.253.251 to internet

access-list np-itf-extranet-in extended permit ip 172.29.49.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list np-itf-extranet-in extended permit tcp host 172.31.253.251 gt 1023 any eq telnet

access-list np-itf-extranet-in extended deny ip any any

Acl permission from int. inside

Permit IP inside to 172.29.49.0

Permit telnet inside to internet

access-list np-itf-inside-in extended permit ip 10.1.0.0 255.255.0.0 172.29.49.0 255.255.255.0

access-list np-itf-inside-in extended permit tcp 10.1.0.0 255.255.0.0 gt 1023 any eq telnet

access-list np-itf-inside-in extended deny ip any any

For outside:

access-list np-itf-outside-in extended deny ip any any

MASQ from 172.29.49.0 to internet:

access-list np-nat1000-extranetDynamicNat extended permit ip 172.29.49.0 255.255.255.0 any

global (outside) 1000 interface

nat (extranet) 1000 access-list np-nat1000-extranetDynamicNat

access-group np-itf-outside-in in interface outside

access-group np-itf-inside-in in interface inside

access-group np-itf-extranet-in in interface extranet

route extranet 172.29.49.0 255.255.255.0 172.31.224.222 1

Now , when i create a MASQ from INSIDE to INTERNET with the nat commands:

access-list np-nat1000-insideDynamicNat extended permit ip 10.1.0.0 255.255.0.0 any

nat (inside) 1000 access-list np-nat1000-insideDynamicNat

global (outside) 1000 interface

the traffic stop to flow from inside host 10.1.77.77 to extranet host 172.29.49.251

Interface conf

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address x.y.z.w 255.255.254.0

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.1.127.252 255.255.0.0

!

interface Ethernet2

speed 100

duplex full

nameif dmz0

security-level 60

ip address 192.168.150.252 255.255.255.0

!

interface Ethernet3

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet3.102

vlan 102

nameif WiFiRed

security-level 80

ip address 172.31.128.254 255.255.255.0

!

interface Ethernet3.301

vlan 301

nameif BPVR

security-level 70

ip address 172.31.145.252 255.255.255.0

!

interface Ethernet3.302

vlan 302

nameif OVERnet

security-level 10

ip address a.b.c.d 255.255.255.128

!

interface Ethernet3.500

vlan 500

nameif extra-lanfail

security-level 20

ip address 192.168.163.252 255.255.255.0

!

interface Ethernet4

speed 100

duplex full

nameif rupa

security-level 30

ip address e.f.g.h 255.255.255.224

!

interface Ethernet5

speed 100

duplex full

nameif extranet

security-level 40

ip address 172.31.224.254 255.255.224.0

!

interface GigabitEthernet0

shutdown

nameif intf6

security-level 12

no ip address

thanks in advance:

Roberto

1 REPLY
New Member

Re: no nat-control , masq inside-outside stop extranet<->inside

PIX Version 7.1(2)

Roberto

216
Views
0
Helpful
1
Replies