cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
526
Views
0
Helpful
5
Replies

PIX Nat/Pat issue

DOUG KIRK
Level 1
Level 1

I have a global pat for a clients subnet to access the internet and a static nat for a specific host to host connection accross a site to site vpn. I recently added another static nat w/ access list and now the host can't access the internet. The client hits the static access-lists but it never hits the global pat for the internet. I have a pix 525 running 6.3.3 Any thoughts as to why this is happening? I cant reproduce this effect in the lab.

1 Accepted Solution

Accepted Solutions

Ah yes. You bring back good memories doug :-)

You are running into bug CSCec63822. It was resolved in 6.3(3.136) and later. There is no workaround other than upgrading.

Sincerely,

David.

PS> Please don't foget to mork the issue resolved if it solves your problem so we can check this issue off the list.

View solution in original post

5 Replies 5

abinjola
Cisco Employee
Cisco Employee

can you post the config and the ip address of client in Question..?

User 100.5.7.47 hits staic site to site access-lists but now won't hit Global PAT

Global PAT for Internet

global (outside) 10 192.252.127.254

nat (inside) 10 100.5.7.0 255.255.255.0 0 0

Site to Site #1

access-list host-to-host1 permit ip host 100.5.7.47 host 100.79.104.187

static (inside,outside) 192.252.127.241 access-list host-to-host1 0 0

Site to Site #2

access-list host-to-host2 permit ip host 100.5.7.47 host 100.200.251.110

static (inside,outside) 206.112.159.32 access-list host-to-host2 0 0

Ah yes. You bring back good memories doug :-)

You are running into bug CSCec63822. It was resolved in 6.3(3.136) and later. There is no workaround other than upgrading.

Sincerely,

David.

PS> Please don't foget to mork the issue resolved if it solves your problem so we can check this issue off the list.

Thanks for the info. I have found a workaround until we can upgrade code.

I created a new policy NAT for this specific host.

access-list host-pat deny ip host 100.5.7.47 host

x.x.x.x

access-list host-pat deny ip host 100.5.7.47 host y.y.y.y

access-list host-pat permit ip host 100.5.7.47 0.0.0.0 0.0.0.0

nat (inside) 10 access-list host-pat 0 0

This took care of my problem for the time being. We are scheduling a time to upgrade code.

Thanks for your help.

Hi Doug,

Be careful with the workaround, as 'deny' statements are not supported in policy-nat. So, your results may be unpredictable.

But, at least it is working for the time being :-)

David.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: