Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX Nat Problem

I have two subnets. I want to make few users on these subnets to browse the internet, Not all users. I have made an access-list

access-list browsing extended permit ip host 172.28.33.30 any

access-list browsing extended permit ip host 172.28.86.0 any

nat (inside) 6 access-list browsing

global (outside) 6 interface

I am not able to see hit count and not able any entry in xlate or conn.

Please help me out. This is simply configuation and dont know where i m doing mistake.

4 REPLIES
Hall of Fame Super Blue

Re: PIX Nat Problem

Hi

Can you post the other NAT configurations.

Also 172.28.86.0 ? - is that correct ?

Jon

New Member

Re: PIX Nat Problem

access-list nonat extended permit ip 172.28.92.0 255.255.255.0 172.28.37.0 255.255.255.0

access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.37.0 255.255.255.0

access-list nonat extended permit ip 172.28.64.0 255.255.255.0 172.28.37.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 6 access-list browsing

nat (inside) 3 172.28.32.0 255.255.255.0

nat (inside) 4 172.28.33.0 255.255.255.0

nat (inside) 5 172.28.80.0 255.255.255.0

nat (inside) 6 172.28.86.0 255.255.255.0

nat (inside) 1 172.28.90.0 255.255.255.0

nat (inside) 2 172.28.92.0 255.255.255.0

nat (edn) 1 172.29.0.0 255.255.255.0

nat (edn) 2 172.29.2.0 255.255.255.0

nat (edn) 6 172.31.205.0 255.255.255.0

nat (edn) 5 10.0.0.0 255.255.224.0

yes 172.28.86.0 255.255.255.0 is a subnet. I want to make only 172.28.86.10 can browse the internet.

Now internet is working on 172.28.86.10 but my making the following nat configuation.

nat (inside) 6 172.28.86.0 255.255.255.0

global(outside) 6 interface

but when i remove this nat configuation and try to configure it with access-list in nat. it was not working.

Hall of Fame Super Blue

Re: PIX Nat Problem

Hi

This is because nat exemption with an access-list takes precedence over nat with an access-list so you cannot do it this way.

You will have to do it with the second type of NAT statement you have used rather than an access-list.

Jon

New Member

Re: PIX Nat Problem

The access list you have is for address translation. You have to create an access list and apply it to the inside interface inbound.

In the access list first allow the host you want to give access and then deny everything else. You could restrict the users for certain ports if you want.

126
Views
0
Helpful
4
Replies
CreatePlease to create content