PIX Nat/Pat issue

Answered Question
Apr 3rd, 2007

I have a global pat for a clients subnet to access the internet and a static nat for a specific host to host connection accross a site to site vpn. I recently added another static nat w/ access list and now the host can't access the internet. The client hits the static access-lists but it never hits the global pat for the internet. I have a pix 525 running 6.3.3 Any thoughts as to why this is happening? I cant reproduce this effect in the lab.

I have this problem too.
0 votes
Correct Answer by David White about 9 years 8 months ago

Ah yes. You bring back good memories doug :-)

You are running into bug CSCec63822. It was resolved in 6.3(3.136) and later. There is no workaround other than upgrading.

Sincerely,

David.

PS> Please don't foget to mork the issue resolved if it solves your problem so we can check this issue off the list.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
abinjola Tue, 04/03/2007 - 08:51

can you post the config and the ip address of client in Question..?

DOUG KIRK Tue, 04/03/2007 - 09:05

User 100.5.7.47 hits staic site to site access-lists but now won't hit Global PAT

Global PAT for Internet

global (outside) 10 192.252.127.254

nat (inside) 10 100.5.7.0 255.255.255.0 0 0

Site to Site #1

access-list host-to-host1 permit ip host 100.5.7.47 host 100.79.104.187

static (inside,outside) 192.252.127.241 access-list host-to-host1 0 0

Site to Site #2

access-list host-to-host2 permit ip host 100.5.7.47 host 100.200.251.110

static (inside,outside) 206.112.159.32 access-list host-to-host2 0 0

Correct Answer
David White Tue, 04/03/2007 - 19:48

Ah yes. You bring back good memories doug :-)

You are running into bug CSCec63822. It was resolved in 6.3(3.136) and later. There is no workaround other than upgrading.

Sincerely,

David.

PS> Please don't foget to mork the issue resolved if it solves your problem so we can check this issue off the list.

DOUG KIRK Wed, 04/04/2007 - 04:53

Thanks for the info. I have found a workaround until we can upgrade code.

I created a new policy NAT for this specific host.

access-list host-pat deny ip host 100.5.7.47 host

x.x.x.x

access-list host-pat deny ip host 100.5.7.47 host y.y.y.y

access-list host-pat permit ip host 100.5.7.47 0.0.0.0 0.0.0.0

nat (inside) 10 access-list host-pat 0 0

This took care of my problem for the time being. We are scheduling a time to upgrade code.

Thanks for your help.

David White Wed, 04/04/2007 - 06:06

Hi Doug,

Be careful with the workaround, as 'deny' statements are not supported in policy-nat. So, your results may be unpredictable.

But, at least it is working for the time being :-)

David.

Actions

This Discussion