I did some policy NAT'ng on the outside interface of our Internet facing firewall and it broke some other NAT'ng and I'm not sure why. I had the following config put in place
access-list policy_nat permit tcp any host 184.108.40.206 eq ssl
nat(outside) 2 access-list policy_nat
global (dmz) 2 10.1.1.1
Once the config was in place, the policy nat'g was working for the particular address stated in the policy_nat acl, but other pre-existing statics between the 12.x.x.x outside interface and other servers in the dmz stopped working. When I looked on our syslog server it was saying no translation group found for these addresses.
I then went back into my policy_nat acl and added a second line "access-list policy_nat deny ip any any".
Now everything works, so I see what the issue was, my question is more why did I have to put a deny ip any any at the bottom of my policy nat acl? I would have thought it was like any other access list and implicitly denied but obviously not. Can anyone elaborate on why it does not implicitly deny everything you are not permitting?
Hi .. I am actually surprised it is working at all .. I believe the security level of your outside interface is lower than the one configured on your dmz correct .. ? because if that is the case then you would have needed the 'outside' keyword at the end of the nat intruction to get this working ..
First of all the configuration you made is completely wrong, because if you need to configure traffic between less secure interface to more secure interface you have to use static traslation with access list on the outside interface, not policy nat.
the commands should be:
static(dmz,outside) global_ip local_ip
access-list in_traffic permit tcp any global_ip eq https
then apply this access list to the outside interface in inbound direction.
secondly , the access list used in the policy nat cannot contain deny commands, it must contain only permit commands.
My configuration is working, so I don't see how you say its completely wrong. I have a deny in my policy access-list and that is working as well. How can I use a static translation when I am translating "any" internet address coming in? I'm not doing a one for one NAT.
the only way to make translation from less secure to more secure interface is by using static translation, in static translation you translate one to one address, but also you must specify an access-list that covern this translation, you can put any as the source in the access list.
your settings may be right at one condition, if your outside interface has higer security level than the DMZ interface.
You can do nat and globals between lower and higher level security interfaces.
I think the issue you are having is that if the interface you have the nat command on is of a lower level than the global command, you have to add the 'outside' keyword.
(Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.
I can't think of any reason why this wouldn't work, according to the order nat is used, statics would take precedence over a nat/global statement
I'd try adding the outside keyword to your nat statement and taking out the deny statement at the end and see if that fixes it.
If not, post some of your config up here (nat and routing) so we can take a look
Please rate this message if it helped solve somr or all of the question/issue.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :