Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
4
Replies

PIX Nat Problem

wasiimcisco
Level 1
Level 1

‎01-09-2008 12:50 AM - edited ‎03-11-2019 04:45 AM

I have two subnets. I want to make few users on these subnets to browse the internet, Not all users. I have made an access-list

access-list browsing extended permit ip host 172.28.33.30 any

access-list browsing extended permit ip host 172.28.86.0 any

nat (inside) 6 access-list browsing

global (outside) 6 interface

I am not able to see hit count and not able any entry in xlate or conn.

Please help me out. This is simply configuation and dont know where i m doing mistake.

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎01-09-2008 01:01 AM

Hi

Can you post the other NAT configurations.

Also 172.28.86.0 ? - is that correct ?

Jon

0 Helpful

wasiimcisco
Level 1
Level 1
In response to Jon Marshall

‎01-09-2008 01:16 AM

access-list nonat extended permit ip 172.28.92.0 255.255.255.0 172.28.37.0 255.255.255.0

access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.37.0 255.255.255.0

access-list nonat extended permit ip 172.28.64.0 255.255.255.0 172.28.37.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 6 access-list browsing

nat (inside) 3 172.28.32.0 255.255.255.0

nat (inside) 4 172.28.33.0 255.255.255.0

nat (inside) 5 172.28.80.0 255.255.255.0

nat (inside) 6 172.28.86.0 255.255.255.0

nat (inside) 1 172.28.90.0 255.255.255.0

nat (inside) 2 172.28.92.0 255.255.255.0

nat (edn) 1 172.29.0.0 255.255.255.0

nat (edn) 2 172.29.2.0 255.255.255.0

nat (edn) 6 172.31.205.0 255.255.255.0

nat (edn) 5 10.0.0.0 255.255.224.0

yes 172.28.86.0 255.255.255.0 is a subnet. I want to make only 172.28.86.10 can browse the internet.

Now internet is working on 172.28.86.10 but my making the following nat configuation.

nat (inside) 6 172.28.86.0 255.255.255.0

global(outside) 6 interface

but when i remove this nat configuation and try to configure it with access-list in nat. it was not working.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to wasiimcisco

‎01-09-2008 03:44 AM

Hi

This is because nat exemption with an access-list takes precedence over nat with an access-list so you cannot do it this way.

You will have to do it with the second type of NAT statement you have used rather than an access-list.

Jon

0 Helpful

jayn
Level 1
Level 1

‎01-09-2008 05:23 AM

The access list you have is for address translation. You have to create an access list and apply it to the inside interface inbound.

In the access list first allow the host you want to give access and then deny everything else. You could restrict the users for certain ports if you want.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card