I have a PIX with 7.2.1 code with 3 interfaces- inside sec level 100, outside sec level 0, and dmz sec level 50. I issued the no nat-control command. I configured an ACL on both outside and dmz interfaces that permits IP. Communication between interface works perfectly nothing is being blocked. I decide I'm going to hide my inside IP addresses when going out my outside interface. I issue the command:
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
Now when I go out the outside interface I'm PAT to the firewalls interface which is correct. But when I try to access the DMZ I get port translation fail messages in the log. I need to add this command to access the dmz:
It looks like whatever IP address is used with the command nat(interface) x.x.x.x now works as though the nat-control command was issued. For example, if I change the nat command to use an ACL with specific IP 10.1.1.1
This allows 10.1.1.1 to PAT to the outside interface and allows me to access the DMZ. Since 10.1.1.2 wasn't included in the ACL for the nat (inside) command it follows the no nat-control policy and can access the DMZ but will not be PAT to the outside interface.
Is this a feature or bug? Why does global nat force an IP network to be nat-controlled? In this example it's not a big deal but if this was a firewall with multiple customers and alot of networks using a global nat to hide some IP addresses from one customer would break connectivity to another customer on a different interface unless you use the static nat to fix it. Is there anyway around this?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...