Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
189
Views
0
Helpful
4
Replies

nat rules help from outside to dmz with both security level 0

Sheraz.Salim
VIP
VIP

‎05-31-2016 05:43 AM - edited ‎03-12-2019 12:49 AM

DMZ

Security level 0

Outside

security leve 0

object network DMZ
 host 192.168.50.10
object network DMZ
 nat (DMZ,outside) static 192.168.192.3

object network remote-hostin
host 1.1.1.1
object network remote-hostin
nat (outside,dmz) static 192.168.192.4

access-list Remote-hostin extended permit ip object remote-hostin object DMZ
access-group Remote-hostin in interface DMZ

kindly could some one advise as this rules are not working. where i am making the mistake?

please do not forget to rate.
Labels:
0 Helpful
4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-31-2016 05:47 AM

Hi,

Have you enabled this command as both the interfaces are on the same security level ?

same-security-traffic permit inter-interface

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Aditya Ganjoo

‎05-31-2016 05:57 AM

hello Aditya,

i gave the command you mentined but the packet tracere still showing acl drop

 packet-tracer input dmZ rawip 192.168.50.10 1 1.1.1.1 $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbc6725f8, priority=11, domain=permit, deny=true
        hits=1, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

please do not forget to rate.
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Sheraz.Salim

‎05-31-2016 10:27 AM

Hi,

Could you tell me why are we using two different NAT statements ?

What is your objective ? could you please elaborate on the requirement ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Aditya Ganjoo

‎06-01-2016 08:49 AM

192.168.192.0/27 is a private WAN network for the corprate network. we share this network with other supplier that why we are using another nat (RFC) address.

server 1.1.1.1 is a remote and running FTP, SNMP, TFTP services. 192.168.50.0 is assign to DMZ zone.

objective is when remote server comes in DMZ it get translated into 192.168.192.0 address.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card