NAT question

Unanswered Question
Apr 9th, 2007
User Badges:

i have next config for pix515e-

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 branches security50

global (outside) 2 interface

nat (inside) 0 access-list vpn_outside_1

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (branches) 2 10.20.18.0 255.255.255.0 0 0


i tryed to ping public address from network 10.20.18.0 and i see not NATed packets at the outside interface-


--------- PACKET ---------


-- IP --

10.20.18.3 ==> 1.1.119.28


ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x64

id = 0x239 flags = 0x0 frag off=0x0

ttl = 0xfb proto=0x1 chksum = 0x547b


-- ICMP --

type = 0x8 code = 0x0 checksum=0x2f9e

identifier = 0x22 seq = 0x1

-- DATA --

00000010: 00 00 00 00 | ....

00000020: 5c 33 f2 55 ab cd ab cd ab cd ab cd ab cd ab cd | \3.U............

00000030: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000040: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000050: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000060: ab cd ab cd 03 | .....


--------- END OF PACKET ---------


when i do the same from PIX - it's ok-

--------- PACKET ---------


-- IP --

Public_address_VPNgate ==> 1.1.119.28


ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0xa407 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0x8629


-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5d8

identifier = 0x1124 seq = 0x2

-- DATA --

00000018: 00 01 02 03 04 05 06 07 08 09 0a 0b | ............

00000028: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b | ................

00000038: 1c 1d 1e 1f 18 | .....


--------- END OF PACKET ---------



where is a problem?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fzamora Mon, 04/09/2007 - 20:43
User Badges:
  • Cisco Employee,

Hi,


Did you add the access list in order to permit the incoming ICMP traffic on the outside interface? If you can ping from the PIX that means it has connectivity so one of the first things one needs to check is the ACL. Please add the following:


access-list inbound permit icmp any any


access-group inbound in interface outside


If you already added it, please let me know so we can continue with the troubleshooting


Hope it helps,


Franco Zamora


rmv72 Mon, 04/09/2007 - 22:29
User Badges:

Hi!

yes,i've ACL.

i think the problem is that packets goes from outside interface with private source (which is certainly is not routed in public internet :) ).

Seems they don't NATed - maybe here problem?

fzamora Tue, 04/10/2007 - 06:54
User Badges:
  • Cisco Employee,

Could you please add your config to the conversation so I can check it out.


Franco

jmia@ohgroup.co.uk Wed, 04/11/2007 - 04:03
User Badges:
  • Gold, 750 points or more

Take out...


nat (inside) 1 0.0.0.0 0.0.0.0 0 0


Save with: write mem and also issue: clear xlate

jbeltrame Wed, 04/11/2007 - 09:58
User Badges:

try the following:


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

clear xlate

rmv72 Wed, 04/11/2007 - 21:40
User Badges:

i've done it.

same problem.

from network 10.20.18.0/24-

debug packet outside dst A.177.119.28 netmask 255.255.255.255


ping from network 10.20.18.0/24

-- IP --

10.20.18.3 ==> A.177.119.28


ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x64

id = 0x2aa flags = 0x0 frag off=0x0

ttl = 0xfb proto=0x1 chksum = 0x540a


-- ICMP --

type = 0x8 code = 0x0 checksum=0x41e9

identifier = 0x25 seq = 0x8

-- DATA --

00000010: 00 00 00 00 | ....

00000020: 6a 3d d1 f6 ab cd ab cd ab cd ab cd ab cd ab cd | j=..............

00000030: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000040: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000050: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000060: ab cd ab cd 6e | ....n


--------- END OF PACKET ---------


ping from PIX-

PIX2# ping A.177.119.28

--------- PACKET ---------


-- IP --

VPNgate (ip address of outside interface) ==> A.177.119.28


ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x642d flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0xc603


-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5da

identifier = 0x1124 seq = 0x0

-- DATA --

00000018: 00 01 02 03 04 05 06 07 08 09 0a 0b | ............

00000028: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b | ................

00000038: 1c 1d 1e 1f 59 | ....Y


--------- END OF PACKET ---------

but i want to say that packets from network 10.20.18.0/24 comes to interface branches, not inside.

Actions

This Discussion