01-21-2019 02:26 AM - edited 02-21-2020 08:40 AM
Hello
I'm really confused right now, as a background, i need to do a dynamic pat from network with security level 95 to network with security level 100 as seen below.
FW/sec/act# sh run all nat-control
no nat-control
interface GigabitEthernet0/3
nameif dmz
security-level 95
ip address 172.20.28.5 255.255.255.192 standby 172.20.28.6
no pim
no igmp
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.196.114.51 255.255.255.0 standby 10.196.114.52
i want to dynamically translate 172.20.30.0/23 to 10.196.114.210 with below
nat (dmz) 10 access-list dmzVlan30-inside
access-list dmzVlan30-inside line 1 extended permit ip 172.20.30.0 255.255.254.0 host 10.196.112.180
global (inside) 10 10.196.114.210
It's allowed on packet tracer but i still cannot reach 10.196.112.180 and i don't see that 172.20.30.0/23 network being PAT'd to 10.196.114.210
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz in interface dmz
access-list dmz extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: inspect-rsh
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect rsh
service-policy global_policy global
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 10 access-list dmzVlan30-inside
match ip dmz 172.20.30.0 255.255.254.0 sony_lab_au host 10.196.112.180
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 17220 access-list cap1_nat
match ip inside 10.0.0.0 255.0.0.0 sony_lab_au host 10.196.112.104
dynamic translation to pool 17220 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2979465065, packet dispatched to next module
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
FW/sec/act#
01-21-2019 02:40 AM
does your internal network have a route back to dmz's 172.20.30.0 255.255.254.0?
01-21-2019 02:42 AM
Yes, there is.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: