11-24-2006 11:25 AM - edited 03-11-2019 02:00 AM
I did some policy NAT'ng on the outside interface of our Internet facing firewall and it broke some other NAT'ng and I'm not sure why. I had the following config put in place
access-list policy_nat permit tcp any host 12.1.1.1 eq ssl
nat(outside) 2 access-list policy_nat
global (dmz) 2 10.1.1.1
Once the config was in place, the policy nat'g was working for the particular address stated in the policy_nat acl, but other pre-existing statics between the 12.x.x.x outside interface and other servers in the dmz stopped working. When I looked on our syslog server it was saying no translation group found for these addresses.
I then went back into my policy_nat acl and added a second line "access-list policy_nat deny ip any any".
Now everything works, so I see what the issue was, my question is more why did I have to put a deny ip any any at the bottom of my policy nat acl? I would have thought it was like any other access list and implicitly denied but obviously not. Can anyone elaborate on why it does not implicitly deny everything you are not permitting?
11-26-2006 08:51 PM
Hi .. I am actually surprised it is working at all .. I believe the security level of your outside interface is lower than the one configured on your dmz correct .. ? because if that is the case then you would have needed the 'outside' keyword at the end of the nat intruction to get this working ..
11-27-2006 03:16 AM
Hi.
First of all the configuration you made is completely wrong, because if you need to configure traffic between less secure interface to more secure interface you have to use static traslation with access list on the outside interface, not policy nat.
the commands should be:
static(dmz,outside) global_ip local_ip
access-list in_traffic permit tcp any global_ip eq https
then apply this access list to the outside interface in inbound direction.
secondly , the access list used in the policy nat cannot contain deny commands, it must contain only permit commands.
with regards
ala ala najjar
11-27-2006 05:16 AM
My configuration is working, so I don't see how you say its completely wrong. I have a deny in my policy access-list and that is working as well. How can I use a static translation when I am translating "any" internet address coming in? I'm not doing a one for one NAT.
11-27-2006 09:32 PM
Hi,
the only way to make translation from less secure to more secure interface is by using static translation, in static translation you translate one to one address, but also you must specify an access-list that covern this translation, you can put any as the source in the access list.
your settings may be right at one condition, if your outside interface has higer security level than the DMZ interface.
11-29-2006 10:44 AM
First try to figure out what are you trying to achieve or let me know what u want to do??
Will then explain the best possible option for the same.
11-29-2006 12:03 PM
Hello,
You can do nat and globals between lower and higher level security interfaces.
I think the issue you are having is that if the interface you have the nat command on is of a lower level than the global command, you have to add the 'outside' keyword.
---------------
outside
(Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.
----------------
I can't think of any reason why this wouldn't work, according to the order nat is used, statics would take precedence over a nat/global statement
I'd try adding the outside keyword to your nat statement and taking out the deny statement at the end and see if that fixes it.
If not, post some of your config up here (nat and routing) so we can take a look
--Jason
Please rate this message if it helped solve somr or all of the question/issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide