https://community.cisco.com/t5/network-security/trouble-with-nat-policy/m-p/639375#M1028712 <HTML><HEAD></HEAD><BODY><P>Your configuration seems ok, but i would try to create an access-list for the traffic from the DMZ-network and attach this access-list to an access-group like you have done with the outside access-list.</P><P></P><P>Otherwise, please check the log. You should see the error quite clearly there.</P></BODY></HTML> Fri, 19 Jan 2007 08:57:26 GMT thult 2007-01-19T08:57:26Z https://community.cisco.com/t5/network-security/trouble-with-nat-policy/m-p/639374#M1028711 <P>Hi Everyone,</P><P>I was wondering if someone can lend a hand and look over this config for me. </P><P>The config below appears to work fine, inside network is able to get out to the internet, outside users are able to get to the website hosted in the dmz and internally. </P><P>The problem is that the servers with a static NAT translation are unable to get out to the internet(10.0.0.105, 192.168.0.106, 192.168.107). If I removed the static NAT translation than they can get internet access, but then outside can't access the websites. </P><P></P><P>PIX Version 7.2(2) </P><P>hostname FIREWALL</P><P>name 10.0.0.105 SYSLOG</P><P>name 70.x.x.97 INTERNET</P><P>!</P><P>interface Ethernet0</P><P> speed 100</P><P> duplex full</P><P> nameif outside</P><P> security-level 0</P><P> ip address 70.x.x.98 255.255.255.240 </P><P>!</P><P>interface Ethernet1</P><P> speed 100</P><P> duplex full</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.0.0.1 255.255.252.0 </P><P>!</P><P>interface Ethernet2</P><P> speed 100</P><P> duplex full</P><P> nameif dmz</P><P> security-level 50</P><P> ip address 192.168.0.1 255.255.255.0 </P><P>!</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name domain.NET</P><P>access-list NONAT extended permit ip 10.0.0.0 255.255.252.0 10.1.0.0 255.255.252.0 </P><P>access-list DMZ_NONAT extended permit ip 192.168.0.0 255.255.255.0 10.1.0.0 255.255.252.0 </P><P>access-list SPLIT_TUNNEL_LIST standard permit 10.0.0.0 255.255.252.0 </P><P>access-list SPLIT_TUNNEL_LIST standard permit 192.168.0.0 255.255.255.0 </P><P>access-list outside_access_in extended permit tcp any host 70.x.x.106 eq ftp </P><P>access-list outside_access_in extended permit tcp any host 70.x.x.105 eq www </P><P>access-list outside_access_in extended permit tcp any host 70.x.x.106 eq www </P><P>access-list outside_access_in extended permit tcp any host 70.x.x.107 eq www </P><P></P><P>ip local pool VPN_POOL 10.1.0.10-10.1.0.254</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image flash:/asdm-522.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>nat-control</P><P>global (outside) 1 70.x.x.100-70.x.x.101</P><P>global (outside) 1 70.x.x.102</P><P>global (dmz) 1 interface</P><P>nat (inside) 0 access-list NONAT</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (dmz) 0 access-list DMZ_NONAT</P><P>nat (dmz) 1 192.168.0.0 255.255.255.0</P><P>static (dmz,outside) 70.x.x.106 192.168.0.106 netmask 255.255.255.255 </P><P>static (inside,outside) 70.x.x.105 SYSLOG netmask 255.255.255.255 </P><P>static (dmz,outside) 70.x.x.107 192.168.0.107 netmask 255.255.255.255 </P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 INTERNET 1</P><P></P><P>group-policy REMOTE_VPN_GP internal</P><P>group-policy REMOTE_VPN_GP attributes</P><P> dns-server value 10.0.0.100 10.0.0.101</P><P> vpn-tunnel-protocol IPSec </P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value SPLIT_TUNNEL_LIST</P><P> default-domain value domain.net</P><P></P><P>crypto ipsec transform-set STRONGER esp-aes esp-sha-hmac </P><P>crypto ipsec transform-set STRONG esp-3des esp-sha-hmac </P><P>crypto ipsec transform-set STRONGEST esp-aes-256 esp-sha-hmac </P><P>crypto dynamic-map CLIENT_MAP 1 set transform-set STRONGEST STRONGER STRONG</P><P>crypto map VPN_MAP 50 set pfs </P><P>crypto map VPN_MAP 50 set transform-set STRONGEST STRONGER STRONG</P><P>crypto map VPN_MAP 65535 ipsec-isakmp dynamic CLIENT_MAP</P><P>crypto map VPN_MAP interface outside</P><P>crypto isakmp enable outside</P><P>crypto isakmp policy 150</P><P> authentication pre-share</P><P> encryption aes</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>tunnel-group REMOTE_VPN type ipsec-ra</P><P>tunnel-group REMOTE_VPN general-attributes</P><P> address-pool VPN_POOL</P><P> default-group-policy REMOTE_VPN_GP</P><P>tunnel-group REMOTE_VPN ipsec-attributes</P><P> pre-shared-key *</P><P> isakmp keepalive threshold 30 retry 5</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map </P><P> inspect h323 h225 </P><P> inspect h323 ras </P><P> inspect rsh </P><P> inspect rtsp </P><P> inspect esmtp </P><P> inspect sqlnet </P><P> inspect skinny </P><P> inspect sunrpc </P><P> inspect xdmcp </P><P> inspect sip </P><P> inspect netbios </P><P> inspect tftp </P><P> inspect ftp </P><P> inspect icmp </P><P>!</P><P>service-policy global_policy global</P><P></P> Mon, 11 Mar 2019 09:20:32 GMT https://community.cisco.com/t5/network-security/trouble-with-nat-policy/m-p/639374#M1028711 danielkaiser 2019-03-11T09:20:32Z https://community.cisco.com/t5/network-security/trouble-with-nat-policy/m-p/639375#M1028712 <HTML><HEAD></HEAD><BODY><P>Your configuration seems ok, but i would try to create an access-list for the traffic from the DMZ-network and attach this access-list to an access-group like you have done with the outside access-list.</P><P></P><P>Otherwise, please check the log. You should see the error quite clearly there.</P></BODY></HTML> Fri, 19 Jan 2007 08:57:26 GMT https://community.cisco.com/t5/network-security/trouble-with-nat-policy/m-p/639375#M1028712 thult 2007-01-19T08:57:26Z