nat issues

Unanswered Question

Can someone explain to me what's happening here? When I set up a static nat on my machine on the firewall I'm not able to get out to the internet, if I remove that nat and go over the global pat then everything works fine:

static (inside,outside) netmask

FW# sh xlate | i 2.39

Global Local

Apr 13 2007 10:04:44: %PIX-6-302020: Built ICMP connection for faddr gaddr laddr

The internet router has these lines:

ip nat inside source list 1 pool public

access-list 1 permit

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Fri, 04/13/2007 - 09:24
User Badges:
  • Green, 3000 points or more

hi, what are you trying to accomplish.. do you want to have public inbound connections to connect to your local machine.

it seems you are applying the static nat for outside interface using a private ip block 172.18.x.x instead of a public IP address.


static (inside,outside) publicIP localIP netmask 0 0

then your access list to permit inbound connections.

For outbound internet your static NAT which is your public IP should get you internet outbound connections.

yea the firewall is natting to another private block which is our dmz...the router then nats it to a public ip with ip nat inside source list 1 pool public.

List 1 includes both the static nat I created on the firewall and the pat.

really the only reason I want to do this is to tftp configs from the dmz equipment to my machine. I got it working using a policy nat but I'm just wondering why the the static nat I set up earlier wasn't working properly.

tcscadmin Mon, 04/16/2007 - 08:14
User Badges:

Let's see if I understand the topology here. You have an "internet router." That nats a pool of addresses to one host. That router connects the your PIX. This PIX is generally configured for PAT on the outside interface of

When you add the static command, connectivity to the Internet from should work.

But any other host inside that PIX going out to the WWW will not. Always remember that a static command trumps a dynamic in ASA world. It trumps any NAT rules in any ID number. It also trumps NAT 0 rules IIRC.

So what you need to do is do a Static PAT not Static NAT.

This is how it would look if were a Web server.

static (inside,outside) tcp 80 80. Just pick one port though per Static PAT entry.

Use this in conjuction with your existing dynamic PAT rules. is the topology:

insidenet - pix - dmz - router - internet

But...I do have a pat already...

global (outside) 1

nat (inside) 1

Everything works fine...however, when I add this line:

static (inside,outside) netmask

All the other ip's still work obviously...but from I can't access the internet anymore. The router translates both and to our public internet IP, and I verified that it has the right translations.

I did a ping test and I see the pings coming back in the logs:

Apr 13 2007 10:04:44: %PIX-6-302020: Built ICMP connection for faddr gaddr laddr

I noticed the port numbers are all 0's...when I do a ping test going over the pat it's right:

Apr 16 2007 11:48:35: %PIX-6-302020: Built ICMP connection for faddr 64.233.167.

99/0 gaddr laddr

Based on the setup and the nat pool on the router the nat should still work...

tcscadmin Mon, 04/16/2007 - 09:49
User Badges:

What logical network is configured in the DMZ network? Where does connect physically?

tcscadmin Mon, 04/16/2007 - 09:55
User Badges:

Is the outside interface of the PIX?

If so, your problem is the Internet router thinks is directly connected to itself in the DMZ. It works in the firewall's case because the firewwall broadcasts the ARP reply for .39 but not for .100.

tcscadmin Mon, 04/16/2007 - 10:09
User Badges:

ip nat inside source list 1 pool public

access-list 1 permit

access-list 1 permit

It was staring me in the face. Add to this ACL on the Internet Router.

Yea it's already there...i didn't add it to the original post because it's already working, probably should have to be more clear. :)

But yea it's there, and and I verified that both get translated to the public IP with sh ip nat trans.

The weird thing is when I add the static nat to the firewall (and lose internet access)...I can do a tcpdump on a spanned port and I see the icmp traffic coming back to my machine...but my machine shows it as timing out. I guess I should try a to capture those packets on my machine to see what I'm getting. But I'm not sure why I'm getting those /0's in the firewall logs.


This Discussion