06-13-2007 09:33 AM - edited 03-11-2019 03:29 AM
Hi,
I am facing a peculiar NAT situation on a Pix with multiple interfaces, config below-
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security10
nameif ethernet3 dmz2 security40
nat (inside) 1 10.0.1.0 255.255.255.0
nat (dmz1) 1 192.168.17.0 255.255.255.0
nat (dmz1) 1 192.168.17.0 255.255.255.0 outside
global (dmz1) 1 192.168.17.2
global (outside) 1 64.0.0.1
global (dmz2) 1 172.17.0.1
Not my config, but faced with this situation, does the config prevent Inside hosts to DMZ1 server communication?
Thanks in advance.
06-13-2007 10:40 PM
I would say this should work. By default higher security to lower security level communication you only need your nat enabled. Nothing more. Only from lower to higher you need nat as well as access-list.
Why have you used this statement nat (dmz1) 1 192.168.17.0 255.255.255.0 outside
You could do without it.
-Hoogen
06-14-2007 07:58 AM
Hi Hoogen,
I am only analyzing the existing configuration and not designing one. Inside to DMZ1 traffic does not work with this configuration and I am trying to understand why.
The statement 'nat (dmz1) 1 192.168.17.0 255.255.255.0 outside' is inserted because DMZ2 is at an higher security level than DMZ1.
The issue I faced is that - Inside to DMZ1 communication works only when the above statement is removed. The error seen is 305006:No translation defined.
Apparently, this is because, a low-to-high global NAT definition has to be defined for all low-to-high interfaces or none at all. Am I understanding this right?
I would like to know if someone has seen this before and whether this is a bug that has been/ needs to be addressed.
Thanks and Regards,
Mahesh
06-14-2007 09:40 AM
That statement is not required, for traffic flowing from DMZ1 to DMZ2 you have already configured the nat statement and also the global statement, you don't need this statement.
Is there anything else that is problematic do let us know.
-Hoogen
06-14-2007 02:30 PM
Oh! I thought when defining NAT on a lower security interface (dmz1) and a matching Global on a higher security interface (dmz2), outside NAT is compulsory.
Regards,
Mahesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: