02-27-2013 06:40 AM - edited 03-11-2019 06:06 PM
I have an internal firewall between two private networks.
I want all addrssing on the inside to use the gobal and I want any internal address destined for a group of servers on port 23 on the external to use a pool of addreses
the inside network is 10.0.0.0/8 and the destination subnet is 10.130.29.0/25. routes exist and connectivity works
heres the config
global (outside) 1 10.130.29.2
nat (inside) 1 access-list nat
access-list nat deny ip host 10.7.2.206 any
access-list nat deny ip host 10.7.2.207 any
access-list nat permit ip any any
ive added:
object-group network SERVERS
network-object host 195.104.88.151
network-object host 195.104.88.152
network-object host 195.104.88.153
access-list serv_acl permit tcp 10.0.0.0 255.0.0.0 object-group SERVERS eq 23
global (outside) 2 10.130.29.117-10.130.29.126 netmask 255.255.255.128
nat (inside) 2 access-list serv_acl
the SERVERS are destined for another network byond the firewall but I need to translate any address from the internal to pool 2. I can connect using the global but after applying the added config above the connection is still using the global. the xlate was cleared.
Is the subnet mask correct for the pool?
any help appreciated.
Solved! Go to Solution.
02-27-2013 09:19 AM
Hi,
So you say that your traffic is hitting the original Dynamic Policy PAT rule after configuring the new Dynamic Policy NAT rule?
I think this is because of the NAT ordering.
I am not sure if the "ID" of the NAT configuration has any meaning but I would try changing the NAT configuration in the following way
no global (outside) 1 10.130.29.2
no nat (inside) 1 access-list nat
global (outside) 100 10.130.29.2
nat (inside) 100 access-list nat
Then perhaps "clear xlate" if situation permits.
This should do so that the new Dynamic Policy NAT rule is the first to be matched and the original rule comes after that.
Notice that the original rule has a "permit ip any any" ACL rule which matches all traffic. So everything gets matched to it and wont get matched to the new rule.
Can you try this out and see how it goes.
- Jouni
02-27-2013 09:19 AM
Hi,
So you say that your traffic is hitting the original Dynamic Policy PAT rule after configuring the new Dynamic Policy NAT rule?
I think this is because of the NAT ordering.
I am not sure if the "ID" of the NAT configuration has any meaning but I would try changing the NAT configuration in the following way
no global (outside) 1 10.130.29.2
no nat (inside) 1 access-list nat
global (outside) 100 10.130.29.2
nat (inside) 100 access-list nat
Then perhaps "clear xlate" if situation permits.
This should do so that the new Dynamic Policy NAT rule is the first to be matched and the original rule comes after that.
Notice that the original rule has a "permit ip any any" ACL rule which matches all traffic. So everything gets matched to it and wont get matched to the new rule.
Can you try this out and see how it goes.
- Jouni
02-28-2013 10:22 AM
Thanks Jouni
You were exactly right.
The first policy had 'ip any any' which of course catches all traffic . I change the order and it works fine.
Thanks again
michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide