topic Global & Nat issue in Network Security

Global & Nat issue

m-mneimneh — Mon, 11 Mar 2019 11:29:10 GMT

Hi all,

i have an issue using nat & global; i have the following config on my pix, running 6.3

nat (inside) 2 access-list ftp_clients

nat (inside) 5 access-list DomainControllers

nat (inside) 5 172.16.254.0 255.255.255.0

access-list ftp_clients permit any

access-list DomainControllers permit host 172.16.16.45

access-list DomainControllers permit host 172.16.16.46

access-list DomainControllers permit host 172.16.16.47

global (outside) 5 212.98.x.x

global (outside) 2 216.236.y.y

the thing is that the sh xlate output shows that the Domain COntrollers are using the Global 2, and not the Global 5, as seen below:

PAT Global 216.236.y.y(1041) Local 172.16.16.45(1053)

PAT Global 216.236.x.x(1032) Local 172.16.16.47(1047)

Any tips why this is so?

Thanks in advance.

acomiskey — Tue, 23 Oct 2007 13:51:31 GMT

I believe it is because they are matching first on this access list assigned to global 2.

access-list ftp_clients permit any

acomiskey — Tue, 23 Oct 2007 13:59:02 GMT

Try it this way...

nat (inside) 2 access-list DomainControllers

nat (inside) 2 172.16.254.0 255.255.255.0

nat (inside) 5 access-list ftp_clients

access-list DomainControllers permit host 172.16.16.45

access-list DomainControllers permit host 172.16.16.46

access-list DomainControllers permit host 172.16.16.47

access-list ftp_clients permit any

global (outside) 2 212.98.x.x

global (outside) 5 216.236.y.y

m-mneimneh — Fri, 26 Oct 2007 10:13:53 GMT

Hi guys,

i tried what you suggested, and it's still not working. is this a normal behavior?

any other tips please?

fargier — Mon, 29 Oct 2007 12:33:15 GMT

hello,

There is something wrong in your

nat (inside) 5 access-list ftp_clients

you do no match any Subnet of your inside interface.. Try 0.0.0.0 0.0.0.0 or the subnet you would like to nat.

Bye