04-03-2007 07:16 AM - edited 03-11-2019 02:55 AM
I have a global pat for a clients subnet to access the internet and a static nat for a specific host to host connection accross a site to site vpn. I recently added another static nat w/ access list and now the host can't access the internet. The client hits the static access-lists but it never hits the global pat for the internet. I have a pix 525 running 6.3.3 Any thoughts as to why this is happening? I cant reproduce this effect in the lab.
Solved! Go to Solution.
04-03-2007 07:48 PM
Ah yes. You bring back good memories doug :-)
You are running into bug CSCec63822. It was resolved in 6.3(3.136) and later. There is no workaround other than upgrading.
Sincerely,
David.
PS> Please don't foget to mork the issue resolved if it solves your problem so we can check this issue off the list.
04-03-2007 08:51 AM
can you post the config and the ip address of client in Question..?
04-03-2007 09:05 AM
User 100.5.7.47 hits staic site to site access-lists but now won't hit Global PAT
Global PAT for Internet
global (outside) 10 192.252.127.254
nat (inside) 10 100.5.7.0 255.255.255.0 0 0
Site to Site #1
access-list host-to-host1 permit ip host 100.5.7.47 host 100.79.104.187
static (inside,outside) 192.252.127.241 access-list host-to-host1 0 0
Site to Site #2
access-list host-to-host2 permit ip host 100.5.7.47 host 100.200.251.110
static (inside,outside) 206.112.159.32 access-list host-to-host2 0 0
04-03-2007 07:48 PM
Ah yes. You bring back good memories doug :-)
You are running into bug CSCec63822. It was resolved in 6.3(3.136) and later. There is no workaround other than upgrading.
Sincerely,
David.
PS> Please don't foget to mork the issue resolved if it solves your problem so we can check this issue off the list.
04-04-2007 04:53 AM
Thanks for the info. I have found a workaround until we can upgrade code.
I created a new policy NAT for this specific host.
access-list host-pat deny ip host 100.5.7.47 host
x.x.x.x
access-list host-pat deny ip host 100.5.7.47 host y.y.y.y
access-list host-pat permit ip host 100.5.7.47 0.0.0.0 0.0.0.0
nat (inside) 10 access-list host-pat 0 0
This took care of my problem for the time being. We are scheduling a time to upgrade code.
Thanks for your help.
04-04-2007 06:06 AM
Hi Doug,
Be careful with the workaround, as 'deny' statements are not supported in policy-nat. So, your results may be unpredictable.
But, at least it is working for the time being :-)
David.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: