Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

The problem with the static command and nat/global command

The config about NAT GLOBAL AND STATIC :

global (outside) 1 interface

global (inside) 1 10.1.1.1

nat (outside) 1 access-list acl1 outside 0 0

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

static (inside,outside) 192.168.1.3 10.1.1.3 netmask 255.255.255.255 0 0

It is known that we can config "static" and "ACL" together to permit the traffic from outside into inside. It is work well before I add nat (outside) and global (inside) configurations .

2 REPLIES
New Member

Re: The problem with the static command and nat/global command

ACL1:

access-list acl1 permit any host 192.168.1.1

I found that if the traffic NOT MATCH acl1, the outside host can not connect to 192.168.1.3 although STATIC/ACL has been configured.

And , PIX error message is display:

%PIX-3-305005: No translation group found for protocol src

interface_name:dest_address/dest_port dst

interface_name:source_address/source_port

New Member

Re: The problem with the static command and nat/global command

Hi,

I don't know exactly what you want to do but:

INSIDE --> OUTSIDE

------------------

use the nat and global command only:

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

global (outside) 1 interface

--> Your network 10.1.0.0/24 will be translated into the IP address of your outside interface when it goes to outside

access-list inside_access_in permit ip 10.1.0.0 255.255.0.0 any

access-group outside_access_in in interface outside

--> the ACL which permits traffic from inside to outside

OUTSIDE-->INSIDE

------------------

use the static command:

static (inside,outside) 192.168.1.3 10.1.1.3 netmask 255.255.255.255 0 0

--> The address 10.1.1.3 in your Network has a "public" address (192.168.1.3), which makes possible the outside to reach it.

access-list outside_access_in permit ip any host 192.168.1.3

access-group outside_access_in in interface outside

--> An ACL which permits traffic from any host in the Outside to your local address 10.1.1.3

With this configuration:

1/ The inside hosts can go outside

2/ The outside hosts can connect to 10.1.1.3

92
Views
0
Helpful
2
Replies
CreatePlease login to create content