05-31-2016 05:43 AM - edited 03-12-2019 12:49 AM
DMZ
Security level 0
Outside
security leve 0
object network DMZ
host 192.168.50.10
object network DMZ
nat (DMZ,outside) static 192.168.192.3
object network remote-hostin
host 1.1.1.1
object network remote-hostin
nat (outside,dmz) static 192.168.192.4
access-list Remote-hostin extended permit ip object remote-hostin object DMZ
access-group Remote-hostin in interface DMZ
kindly could some one advise as this rules are not working. where i am making the mistake?
05-31-2016 05:47 AM
Hi,
Have you enabled this command as both the interfaces are on the same security level ?
same-security-traffic permit inter-interface
Regards,
Aditya
Please rate helpful posts and mark correct answers.
05-31-2016 05:57 AM
hello Aditya,
i gave the command you mentined but the packet tracere still showing acl drop
packet-tracer input dmZ rawip 192.168.50.10 1 1.1.1.1 $
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc6725f8, priority=11, domain=permit, deny=true
hits=1, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=any
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
05-31-2016 10:27 AM
Hi,
Could you tell me why are we using two different NAT statements ?
What is your objective ? could you please elaborate on the requirement ?
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-01-2016 08:49 AM
192.168.192.0/27 is a private WAN network for the corprate network. we share this network with other supplier that why we are using another nat (RFC) address.
server 1.1.1.1 is a remote and running FTP, SNMP, TFTP services. 192.168.50.0 is assign to DMZ zone.
objective is when remote server comes in DMZ it get translated into 192.168.192.0 address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide