From: Kim teu (kim.teu@gmail.com)
Date: Wed Apr 09 2008 - 21:54:56 ART
Thanks Patrick. It's fixed.
Remove the following command on the outside interface.
no forward interface Vlan1
Regards,
Kim
On 4/9/08, Patrick Galligan <pgalligan@gmail.com> wrote:
>
> On Wed, Apr 9, 2008 at 10:28 PM, Kim teu <kim.teu@gmail.com> wrote:
> > Hello Expert,
> > I am doing a static nat to so that outside(internet user) can access my
> > private ip address 10.26.26.11. Below is the config. When I performed
> the
> > packet trace, the packet is drop by a acl. Can you help me resolve it?
> >
> > Thanks.
> >
> >
> > nat (inside) 1 0.0.0.0 0.0.0.0
> >
> > Phase: 3
> > Type: UN-NAT
> > Subtype: static
> > Result: ALLOW
> > Config:
> > static (inside,outside) interface 10.26.26.11 netmask 255.255.255.255
> > nat-control
> > match ip inside host 10.26.26.11 outside any
> > static translation to 76.182.201.25
> > translate_hits = 15, untranslate_hits = 111
> > Additional Information:
> > NAT divert to egress interface inside
> > Untranslate 176.82.101.25/0 to 10.26.26.11/0 using netmask
> 255.255.255.255
>
> Have you made a typo here? "static translation to 76.182.201.25"
>
> Global entries should not matter, as you have a static to translate
> for this host.
>
> I'm assuming 176.82.101.25 is your outside interface address. Put a
> deny ip any any at the end of your outside acl and enable logging for
> it. Based on the config sections you emailed it looks like it should
> work. Have you done a clear xlate and/or reboot? Another
> troubeshooting tool you can use is the capture feature. It will save
> packets specified in an acl to a pcap file so you can then view it in
> wireshark or some other sniffer. It's in the command reference. I use
> it a lot. Also, you could put a permit ip any any in your outside acl
> and see what hits you get on it.
>
-- May All Behappy!!! CCIE 19369 www.kimteu.comPass the CCIE in six weeks, Guaranteed! http://www.certscience.com/CCIE
This archive was generated by hypermail 2.1.4 : Thu May 01 2008 - 08:25:50 ART